GSSFTP / Kerberos question
Broekman, Maarten
Maarten.Broekman at FMR.COM
Wed Nov 11 20:01:23 UTC 2009
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Thomas von Steiger
> Sent: Wednesday, November 11, 2009 2:57 PM
> To: General Red Hat Linux discussion list
> Subject: Re: GSSFTP / Kerberos question
>
>
> On 11.11.2009, at 17:08, Broekman, Maarten wrote:
>
> > I have Kerberos configured on my hosts and I want to enable GSSFTP.
I
> > can get it to work on the "primary" hostname of this set of
servers,
> but
> > not on a secondary (eth0:0) interface. This particular set of
servers
> > are a cluster and have a floating IP between them. I have Kerberos
> host
> > principals configured for both the primary and secondary hostnames
of
> > the servers and they are in the keytab file (I can see them with
> klist),
> > but when I connect to the secondary hostname I get a GSSAPI error:
> >
> > 334 Using authentication type GSSAPI; ADAT must follow
> > GSSAPI accepted as authentication type
> > GSSAPI error major: Unspecified GSS failure. Minor code may
provide
> > more information
> > GSSAPI error minor: Unknown code krb5 144
> > GSSAPI error: accepting context
> > GSSAPI ADAT failed
> > GSSAPI authentication failed
> >
> > Connections to the primary hostname work:
> > 334 Using authentication type GSSAPI; ADAT must follow
> > GSSAPI accepted as authentication type
> > GSSAPI authentication succeeded
> >
> > Looking at the Kerberos error code though, it says that 144 is
"Wrong
> > principal in request". Anyone have an idea on what needs to be
done to
> > get this working?
> >
> > Thanks,
> > Maarten
> >
>
>
> Can you resolv your secound hostname where you have the secound
> principal?
>
> Thomas
Yes. DNS is functioning properly and I can log in with my password, but
not via GSSAPI. I've also tried putting the extra_addresses and
scan_interfaces options in my krb5.conf but that hasn't helped either.
Could this be a routing issue? My default route points out the primary
hostname interface. There are no specific routes for the secondary
hostname though.
--Maarten
More information about the redhat-list
mailing list