Your best friend for file transfer.

Fetch application logoFetch

Fetch with Kerberos (14 posts)

This is an archived topic. The information in it is likely to be out-of-date and no longer applicable to current versions of Fetch.
  • Started 13 years ago by tsmeyer
  • Latest reply 12 years ago from LATBauerdick
  • tsmeyer Member

    I am trying to use fetch 4.0 with MIT Kerberos 3.5fc3. I am able to attach to Kerberized systems with BetterTelnet 2.0fc1. Every time I try to logon to a Kerberized system with fetch 4.0 I get the error "Bad preferences file configuration-1015" Any ideas?

    Posted 13 years ago #

  • Jim Matthews Administrator

    Does any error message appear in the Fetch Transcript window? You may want to post this question, and the contents of your Kerberos Preferences file, to the krbdev@mit.edu mailing list.

    Jim Matthews
    Fetch Softworks

    Posted 13 years ago #

  • nagy Member

    I'm having a similar problem with MIT Kerberos 4.0a18 (I think that's the version):
    Bad preferences file configuration-1015

    Contents of Fetch Transcript window:
    System Version = 0x860
    Connecting to hepnrc.hep.net port 4001 (9/15/2001 4:34:37 PM)
    220 hepnrc FTP server (Version 5.60) ready.
    ADAT
    503 Must identify AUTH type before ADAT
    AUTH KERBEROS_V4
    334 Using authentication type KERBEROS_V4; ADAT must follow

    Posted 12 years ago #

  • Jim Matthews Administrator

    Taking the error message at face value, I wonder whether there's a configuration problem with your Kerberos preferences file. Can you get tickets for other services?

    Jim Matthews
    Fetch Softworks

    Posted 12 years ago #

  • nagy Member

    BetterTelnet connections with Kerberos are working fine.

    I agree that the problem is likely in the Kerberos Preferences but I have no clue as to what is wrong that Fetch has problems with but BetterTelnet does not. I will post my Kerberos Preferences here for comment by anyone once I get home tonight and back on my Macintosh.

    Posted 12 years ago #

  • nagy Member

    As promised, here is my Kerberos Prerferences file for your examination
    and critique:

    [libdefaults]
    default_realm = FNAL.GOV
    ticket_lifetime =1560
    checksum_type = 1
    ccache_type = 2
    default_tkt_enctypes = des-cbc-crc
    default_tgs_enctypes = des-cbc-crc
    noaddresses = true

    [realms]
    FNAL.GOV = {
    kdc = krb-fnal-1.fnal.gov:88
    kdc = krb-fnal-2.fnal.gov:88
    kdc = krb-fnal-3.fnal.gov:88
    kdc = krb-fnal-4.fnal.gov:88
    kdc = krb-fnal-5.fnal.gov:88
    admin_server = krb-fnal-admin.fnal.gov
    default_domain = fnal.gov
    auth_to_local = RULE:[1:$1@$0](.*@PILOT.FNAL.GOV)s/@.*//
    auth_to_local = DEFAULT
    }
    PILOT.FNAL.GOV = {
    kdc = krb-pilot-1.fnal.gov:88
    kdc = krb-pilot-3.fnal.gov:88
    kdc = krb-pilot-4.fnal.gov:88
    kdc = krb-pilot-5.fnal.gov:88
    admin_server = krb-pilot-admin.fnal.gov
    default_domain = fnal.gov
    auth_to_local = RULE:[1:$1@$0](.*@FNAL.GOV)s/@.*//
    auth_to_local = DEFAULT
    }
    WIN.FNAL.GOV = {
    kdc = newpckits.fnal.gov:88
    admin_server = newpckits.fnal.gov
    default_domain = fnal.gov
    }

    [domain_realm]
    .fnal.gov = FNAL.GOV
    .hep.net = FNAL.GOV
    .minos-soudan.org = FNAL.GOV

    Posted 12 years ago #

  • Jim Matthews Administrator

    I don't see anything in the configuration file about a Kerberos 4 realm, but it looks like you are selecting KClient (a Kerberos 4 API) as the security system to use in Fetch. Does it work if you choose GSS?

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 12 years ago #

  • nagy Member

    Our realm is a Kerberos 5 realm. I have not been able to add K4 definitions to the configuration file w/o breaking Kerberos on my Mac - which leads to my being unable to get a ticket.

    I tried choosing GSS. I get an error -30018 now. The final contents of the transcript window are below. Some other messages appeared before this but I was not able to catch them:

    535-GSSAPI error major: Miscellaneous failure
    535-GSSAPI error minor: Wrong principal in request
    535 GSSAPI error: accepting context

    535-GSSAPI error major: Incorrect channel bindings were supplied
    535-GSSAPI error minor: No error
    535 GSSAPI error: accepting context

    Posted 12 years ago #

  • Jim Matthews Administrator

    I'm afraid I'm getting out of my Kerberos depth. I would recommend sending a note to krbdev@mit.edu with the transcript and the preferences file.

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 12 years ago #

  • nagy Member

    So my question is...

    Is this really a problem in Fetch? If so, is there a fix available?

    Alternatively, does anyone know how I might modify the configuration of my Linksys router (4-port Cable/DSL modem) to work around this problem?

    [This message has been edited by nagy (edited 10-17-2001).]

    Posted 12 years ago #

  • nagy Member

    Response from MIT Kerberos mailing list:

    >535-GSSAPI error major: Incorrect channel bindings were supplied
    >535-GSSAPI error minor: No error
    >535 GSSAPI error: accepting context
    >
    >Can you give me any clues as to what this means and how I might fix
    >the problem?

    Those errors are usually indicative of trying to use Fetch behind a
    NAT. That configuration is currently not supported by Fetch.

    Any further questions about Fetch really should go through the
    channels at <http://www.fetchsoftworks.com/>

    Thanks,
    Marshall
    --
    Marshall Vale | mjv@mit.edu | Information Systems
    MacDev Control Panel | Massachusetts Institute of Technology
    <http://mit.edu/macdev/www/>

    Is this really a problem in Fetch? If so, is there a fix available?

    Alternatively, does anyone know how I might modify the configuration of my Linksys router (4-port Cable/DSL modem) to work around this problem?

    [This message has been edited by nagy (edited 10-17-2001).][/B][/QUOTE]

    Posted 12 years ago #

  • Jim Matthews Administrator

    That's right, it's something that needs to be fixed in Fetch. I hope to do that for the next release.

    In the meantime the only workaround I can think of is to connect directly to the Internet, not via the Linksys router. But I can understand how that might not be feasible.

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 12 years ago #

  • nagy Member

    I'll be looking forward to the next version of Fetch...

    Posted 12 years ago #

  • LATBauerdick Member

    Trying Fetch with Kerberos 4.0a19 on MacOS X.1, I'm getting exactly the same error (-30018) as the previous poster (nagy), but I'm definitely NOT behind a firewall, no NAT etc involved (the "wrong principal" error is also mysterious, nagy had the same thing. BetterTelnet works!).

    Here is my transcript:

    Connecting to xxx.xxx.xxx port 21 (11/1/01 3:15:19 PM)
    220 xxx FTP server (Version 5.60) ready.
    ADAT
    503 Must identify AUTH type before ADAT
    AUTH GSSAPI
    334 Using authentication type GSSAPI; ADAT must follow
    ADAT
    535-GSSAPI error major: Miscellaneous failure
    535-GSSAPI error minor: Wrong principal in request
    535 GSSAPI error: accepting context
    release 2
    service 0ADAT
    535-GSSAPI error major: Incorrect channel bindings were supplied
    535-GSSAPI error minor: No error
    535 GSSAPI error: accepting context
    release 2
    service 1

    Posted 12 years ago #

Topic closed

This topic has been closed.