Your best friend for file transfer.

Fetch application logoFetch

GSSAPI failure - OSX Server 10.3.9 (3 posts)

  • Started 17 years ago by n9yty
  • Latest reply 17 years ago from n9yty
  • n9yty Member

    Greetings, Just trying to get Kerberos 5 up and running on our 10.3 Mac OS X Server. I'm new to Kerberos, so forgive me if this is a stupid setup mistake on my part.

    I can get a ticket on my client, and it works to mount AFP shares. However, when I try to connect via FTP with Fetch I get a failure: "GSSAPI error: Miscellaneous failure Sever not found in the Kerberos database".

    Transcript log:
    Error 12,8 on reverse name lookup
    Connecting to my.fqdn.here port 21 (Mac OS X firewall is off) (2/7/07 9:23:22 PM)
    Connected to xx.xx.xx.xx port 21 (2/7/07 9:23:22 PM)
    Error 12,8 on reverse name lookup
    220 my.fqdn.here FTP server (Version: Mac OS X Server 10.3.9 003 - SAPI) ready.
    ADAT
    503 You must issue an AUTH first.
    AUTH This command is checking whether this server supports Kerberos or GSS security, see RFC 2228
    504 This command is checking whether this server supports Kerberos or GSS security, see RFC 2228 is unknown to me
    AUTH GSSAPI
    334 Send authorization data.
    gss_send_tok_buff = ftp@my.fqdn.here
    release 2
    service 0gss_send_tok_buff = host@my.fqdn.here
    release 2
    service 1

    If I look at my tickets after trying, I am sure I got an ftp/ ticket, but after I flushed them all and started over (using non-forwardable tickets) I am no longer seeing that. So, I quit Fetch and tried again, and get a different error (with an ftp/ ticket showing up this time).

    GSSAPI error major: Miscellaneous failure
    GSSAPI error minor: No principal in keytab matches desired name
    GSSAPI error: acquiring credentials [ Miscellaneous failure - No principal in keytab matches desired name ]

    Transcript from that:
    ADAT
    503 You must issue an AUTH first.
    AUTH This command is checking whether this server supports Kerberos or GSS security, see RFC 2228
    504 This command is checking whether this server supports Kerberos or GSS security, see RFC 2228 is unknown to me
    AUTH GSSAPI
    334 Send authorization data.
    gss_send_tok_buff = ftp@my.fqdn.here
    ADAT
    501-GSSAPI error major: Miscellaneous failure
    501-GSSAPI error minor: No principal in keytab matches desired name
    501 GSSAPI error: acquiring credentials [ Miscellaneous failure - No principal in keytab matches desired name ]
    Update check skipped at 02/07/2007 09:31 PM (next check after 02/15/2007 06:33 PM)

    Not sure where to look from here.

    Posted 17 years ago #

  • Scott McGuire Administrator

    Hi,

    It sounds like Kerberos is not configured properly on the server. We are not really familiar with how to set up Kerberos servers, so my recommendation is to try to ask your question on one of the Kerberos mailing lists; someone there should be able to help you figure out where the problem is.

    You can find information about and archives of the mailing lists here:

    http://web.mit.edu/kerberos/www/mail-lists.html

    The "kerberos" mailing list is probably the most appropriate place to start, but as you can see, there are several others as well.

    Thanks,

    Scott McGuire
    Fetch Softworks

    Posted 17 years ago #

  • n9yty Member

    Thanks anyway. I did some more poking and prodding, because everything else is working fine. It did see an error in the stream about the GSSAPI mapping being incorrect, so I disabled that option in Fetch and it then authenticated OK but died on the issuance of a 'PROT P' command. I unchecked the encryption checkbox and now everything works OK. This is on a Mac OS X Server 10.3.9 installation if that helps with filling your knowledgebase about issues.

    Posted 17 years ago #

Reply

  • Or nickname, if you prefer.
  • This will be kept confidential.
  • This is to ensure that you’re a person, not a spambot.