Your best friend for file transfer.

Fetch with Kerberos (14 posts)
- Started 22 years ago by tsmeyer
- Latest reply 21 years ago from LATBauerdick
-
tsmeyer Member
-
Jim Matthews Administrator
Does any error message appear in the Fetch Transcript window? You may want to post this question, and the contents of your Kerberos Preferences file, to the krbdev@mit.edu mailing list.
Jim Matthews
Fetch Softworks -
nagy Member
I'm having a similar problem with MIT Kerberos 4.0a18 (I think that's the version):
Bad preferences file configuration-1015Contents of Fetch Transcript window:
System Version = 0x860
Connecting to hepnrc.hep.net port 4001 (9/15/2001 4:34:37 PM)
220 hepnrc FTP server (Version 5.60) ready.
ADAT
503 Must identify AUTH type before ADAT
AUTH KERBEROS_V4
334 Using authentication type KERBEROS_V4; ADAT must follow -
Jim Matthews Administrator
Taking the error message at face value, I wonder whether there's a configuration problem with your Kerberos preferences file. Can you get tickets for other services?
Jim Matthews
Fetch Softworks -
nagy Member
BetterTelnet connections with Kerberos are working fine.
I agree that the problem is likely in the Kerberos Preferences but I have no clue as to what is wrong that Fetch has problems with but BetterTelnet does not. I will post my Kerberos Preferences here for comment by anyone once I get home tonight and back on my Macintosh.
-
nagy Member
As promised, here is my Kerberos Prerferences file for your examination
and critique:[libdefaults]
default_realm = FNAL.GOV
ticket_lifetime =1560
checksum_type = 1
ccache_type = 2
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
noaddresses = true[realms]
FNAL.GOV = {
kdc = krb-fnal-1.fnal.gov:88
kdc = krb-fnal-2.fnal.gov:88
kdc = krb-fnal-3.fnal.gov:88
kdc = krb-fnal-4.fnal.gov:88
kdc = krb-fnal-5.fnal.gov:88
admin_server = krb-fnal-admin.fnal.gov
default_domain = fnal.gov
auth_to_local = RULE:[1:$1@$0](.*@PILOT.FNAL.GOV)s/@.*//
auth_to_local = DEFAULT
}
PILOT.FNAL.GOV = {
kdc = krb-pilot-1.fnal.gov:88
kdc = krb-pilot-3.fnal.gov:88
kdc = krb-pilot-4.fnal.gov:88
kdc = krb-pilot-5.fnal.gov:88
admin_server = krb-pilot-admin.fnal.gov
default_domain = fnal.gov
auth_to_local = RULE:[1:$1@$0](.*@FNAL.GOV)s/@.*//
auth_to_local = DEFAULT
}
WIN.FNAL.GOV = {
kdc = newpckits.fnal.gov:88
admin_server = newpckits.fnal.gov
default_domain = fnal.gov
}[domain_realm]
.fnal.gov = FNAL.GOV
.hep.net = FNAL.GOV
.minos-soudan.org = FNAL.GOV -
Jim Matthews Administrator
I don't see anything in the configuration file about a Kerberos 4 realm, but it looks like you are selecting KClient (a Kerberos 4 API) as the security system to use in Fetch. Does it work if you choose GSS?
Thanks,
Jim Matthews
Fetch Softworks -
nagy Member
Our realm is a Kerberos 5 realm. I have not been able to add K4 definitions to the configuration file w/o breaking Kerberos on my Mac - which leads to my being unable to get a ticket.
I tried choosing GSS. I get an error -30018 now. The final contents of the transcript window are below. Some other messages appeared before this but I was not able to catch them:
535-GSSAPI error major: Miscellaneous failure
535-GSSAPI error minor: Wrong principal in request
535 GSSAPI error: accepting context535-GSSAPI error major: Incorrect channel bindings were supplied
535-GSSAPI error minor: No error
535 GSSAPI error: accepting context -
Jim Matthews Administrator
I'm afraid I'm getting out of my Kerberos depth. I would recommend sending a note to krbdev@mit.edu with the transcript and the preferences file.
Thanks,
Jim Matthews
Fetch Softworks -
nagy Member
So my question is...
Is this really a problem in Fetch? If so, is there a fix available?
Alternatively, does anyone know how I might modify the configuration of my Linksys router (4-port Cable/DSL modem) to work around this problem?
[This message has been edited by nagy (edited 10-17-2001).]
-
nagy Member
Response from MIT Kerberos mailing list:
>535-GSSAPI error major: Incorrect channel bindings were supplied
>535-GSSAPI error minor: No error
>535 GSSAPI error: accepting context
>
>Can you give me any clues as to what this means and how I might fix
>the problem?Those errors are usually indicative of trying to use Fetch behind a
NAT. That configuration is currently not supported by Fetch.Any further questions about Fetch really should go through the
channels at <http://www.fetchsoftworks.com/>Thanks,
Marshall
--
Marshall Vale | mjv@mit.edu | Information Systems
MacDev Control Panel | Massachusetts Institute of Technology
<http://mit.edu/macdev/www/>Is this really a problem in Fetch? If so, is there a fix available?
Alternatively, does anyone know how I might modify the configuration of my Linksys router (4-port Cable/DSL modem) to work around this problem?
[This message has been edited by nagy (edited 10-17-2001).][/B][/QUOTE]
-
Jim Matthews Administrator
That's right, it's something that needs to be fixed in Fetch. I hope to do that for the next release.
In the meantime the only workaround I can think of is to connect directly to the Internet, not via the Linksys router. But I can understand how that might not be feasible.
Thanks,
Jim Matthews
Fetch Softworks -
nagy Member
I'll be looking forward to the next version of Fetch...
-
LATBauerdick Member
Trying Fetch with Kerberos 4.0a19 on MacOS X.1, I'm getting exactly the same error (-30018) as the previous poster (nagy), but I'm definitely NOT behind a firewall, no NAT etc involved (the "wrong principal" error is also mysterious, nagy had the same thing. BetterTelnet works!).
Here is my transcript:
Connecting to xxx.xxx.xxx port 21 (11/1/01 3:15:19 PM)
220 xxx FTP server (Version 5.60) ready.
ADAT
503 Must identify AUTH type before ADAT
AUTH GSSAPI
334 Using authentication type GSSAPI; ADAT must follow
ADAT
535-GSSAPI error major: Miscellaneous failure
535-GSSAPI error minor: Wrong principal in request
535 GSSAPI error: accepting context
release 2
service 0ADAT
535-GSSAPI error major: Incorrect channel bindings were supplied
535-GSSAPI error minor: No error
535 GSSAPI error: accepting context
release 2
service 1
- Page 1
Topic closed
This topic has been closed.
I am trying to use fetch 4.0 with MIT Kerberos 3.5fc3. I am able to attach to Kerberized systems with BetterTelnet 2.0fc1. Every time I try to logon to a Kerberized system with fetch 4.0 I get the error "Bad preferences file configuration-1015" Any ideas?
Posted 22 years ago #