GSSFTP / Kerberos question

Broekman, Maarten Maarten.Broekman at FMR.COM
Wed Nov 11 20:01:23 UTC 2009 

>  -----Original Message-----
>  From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>  bounces at redhat.com] On Behalf Of Thomas von Steiger
>  Sent: Wednesday, November 11, 2009 2:57 PM
>  To: General Red Hat Linux discussion list
>  Subject: Re: GSSFTP / Kerberos question
>  
>  
>  On 11.11.2009, at 17:08, Broekman, Maarten wrote:
>  
>  > I have Kerberos configured on my hosts and I want to enable GSSFTP.
I
>  > can get it to work on the "primary" hostname of this set of
servers,
>  but
>  > not on a secondary (eth0:0) interface.  This particular set of
servers
>  > are a cluster and have a floating IP between them.  I have Kerberos
>  host
>  > principals configured for both the primary and secondary hostnames
of
>  > the servers and they are in the keytab file (I can see them with
>  klist),
>  > but when I connect to the secondary hostname I get a GSSAPI error:
>  >
>  > 334 Using authentication type GSSAPI; ADAT must follow
>  > GSSAPI accepted as authentication type
>  > GSSAPI error major: Unspecified GSS failure.  Minor code may
provide
>  > more information
>  > GSSAPI error minor: Unknown code krb5 144
>  > GSSAPI error: accepting context
>  > GSSAPI ADAT failed
>  > GSSAPI authentication failed
>  >
>  > Connections to the primary hostname work:
>  > 334 Using authentication type GSSAPI; ADAT must follow
>  > GSSAPI accepted as authentication type
>  > GSSAPI authentication succeeded
>  >
>  > Looking at the Kerberos error code though, it says that 144 is
"Wrong
>  > principal in request".  Anyone have an idea on what needs to be
done to
>  > get this working?
>  >
>  > Thanks,
>  > Maarten
>  >
>  
>  
>  Can you resolv your secound hostname where you have the secound
>  principal?
>  
>  Thomas

Yes.  DNS is functioning properly and I can log in with my password, but
not via GSSAPI.  I've also tried putting the extra_addresses and
scan_interfaces options in my krb5.conf but that hasn't helped either.

Could this be a routing issue?  My default route points out the primary
hostname interface.  There are no specific routes for the secondary
hostname though.

--Maarten

More information about the redhat-list mailing list