Your best friend for file transfer.Fetch
Problems with Kerberos (4 posts)
- Started 8 years ago by nlessa
- Latest reply 8 years ago from Scott McGuire
we have an MacOS X Server 10.4.7 running Kerberos authentication. We are trying to evaluate Fetch for our use.(we are using Fetch 5.2)
When we try to authenticate to our FTP Server using Fetch we get this error (from Fetch transcript)
334 Send authorization data.
gss_send_tok_buff = ftp@<my domain>
535-GSSAPI error major: Incorrect channel bindings were supplied
535-GSSAPI error minor: No error
535 GSSAPI error: accepting context [ Incorrect channel bindings were supplied - No error ]
service 0gss_send_tok_buff = host@<mydomain>
535-GSSAPI error major: Miscellaneous failure
535-GSSAPI error minor: Wrong principal in request
535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong principal in request ]
We can use all others kerberized services: email, AFP, ssh, etc, but ftp...
We use NAT in our enviroment. Is there anything we must configure in Fetch (or in the server) to let Fetch work with Kerberos authentication in our enviroment?
Scott McGuire Administrator
Kerberized FTP with NATs can be tricky, and sometimes requires making special changes to the server.
Try the following:
* In Fetch, open the Preferences.
* Click on the Security tab.
* Change the setting of the "Specifcy GSSAPI channel bindings" checkbox. If it's checked, uncheck it; if it's unchecked, check it.
* Then try connecting again.
Let us know if that fixes the problem.
Thank you for your quick answer. But unfortunatelly uncheckeking/checking didn't solve it.
I already got a ticket with the option "WITHOUT IP ADDRESS (NAT MODE)" and didn't work either...
Scott McGuire Administrator
Sorry to hear that didn't work. You may be able to connect successfully if you turn off the "Enable Encryption" checkbox in the Fetch New Connection dialog, but I realize that may not be an acceptable solution (when that checkbox is unchecked, your password is still encrypted, but the data you transfer is not).
Otherwise, this is a problem that needs to be addressed on the server end. Unfortunately we aren't familiar with setting up Kerberos on Mac OS X server; I do know that some servers force certain GSSAPI channel bindings and you may need to find a way to turn that off, if possible. It may not be possible on Mac OS X Server.
So, you may want to contact Apple about this problem and see if there is a solution.
Another option is posting a question on one of the Kerberos mailing lists; someone may have run into the same problem and may have a solution for you. You can find a list of the Kerberos mailing lists here:
The "main Kerberos list" is probably the best place to start.
Sorry not to have a better answer for you. If you do find a definite answer, please let us know. Best,
- Page 1