Your best friend for file transfer.

Fetch application logoFetch

Problems with Kerberos (4 posts)

  • Started 7 years ago by nlessa
  • Latest reply 7 years ago from Scott McGuire
  • nlessa Member

    hi,
    we have an MacOS X Server 10.4.7 running Kerberos authentication. We are trying to evaluate Fetch for our use.(we are using Fetch 5.2)

    When we try to authenticate to our FTP Server using Fetch we get this error (from Fetch transcript)

    ---------------

    334 Send authorization data.
    gss_send_tok_buff = ftp@<my domain>
    ADAT
    535-GSSAPI error major: Incorrect channel bindings were supplied
    535-GSSAPI error minor: No error
    535 GSSAPI error: accepting context [ Incorrect channel bindings were supplied - No error ]
    release 2
    service 0gss_send_tok_buff = host@<mydomain>
    ADAT
    535-GSSAPI error major: Miscellaneous failure
    535-GSSAPI error minor: Wrong principal in request
    535 GSSAPI error: accepting context [ Miscellaneous failure - Wrong principal in request ]
    release 2
    ---------------
    We can use all others kerberized services: email, AFP, ssh, etc, but ftp...

    We use NAT in our enviroment. Is there anything we must configure in Fetch (or in the server) to let Fetch work with Kerberos authentication in our enviroment?

    Thanks.

    Posted 7 years ago #

  • Scott McGuire Administrator

    Hi,

    Kerberized FTP with NATs can be tricky, and sometimes requires making special changes to the server.

    Try the following:

    * In Fetch, open the Preferences.
    * Click on the Security tab.
    * Change the setting of the "Specifcy GSSAPI channel bindings" checkbox. If it's checked, uncheck it; if it's unchecked, check it.
    * Then try connecting again.

    Let us know if that fixes the problem.

    Thanks,

    Scott McGuire
    Fetch Softworks

    Posted 7 years ago #

  • nlessa Member

    Hi Scott,

    Thank you for your quick answer. But unfortunatelly uncheckeking/checking didn't solve it.

    I already got a ticket with the option "WITHOUT IP ADDRESS (NAT MODE)" and didn't work either...

    Thanks,

    Posted 7 years ago #

  • Scott McGuire Administrator

    Hi,

    Sorry to hear that didn't work. You may be able to connect successfully if you turn off the "Enable Encryption" checkbox in the Fetch New Connection dialog, but I realize that may not be an acceptable solution (when that checkbox is unchecked, your password is still encrypted, but the data you transfer is not).

    Otherwise, this is a problem that needs to be addressed on the server end. Unfortunately we aren't familiar with setting up Kerberos on Mac OS X server; I do know that some servers force certain GSSAPI channel bindings and you may need to find a way to turn that off, if possible. It may not be possible on Mac OS X Server.

    So, you may want to contact Apple about this problem and see if there is a solution.

    Another option is posting a question on one of the Kerberos mailing lists; someone may have run into the same problem and may have a solution for you. You can find a list of the Kerberos mailing lists here:

    http://web.mit.edu/kerberos/www/mail-lists.html

    The "main Kerberos list" is probably the best place to start.

    Sorry not to have a better answer for you. If you do find a definite answer, please let us know. Best,

    Scott McGuire
    Fetch Softworks

    Posted 7 years ago #

Reply

  • Or nickname, if you prefer.
  • This will be kept confidential.
  • This is to ensure that you’re a person, not a spambot.