[32321] in Kerberos
Re: Generic question regarding service principal required to access a
daemon@ATHENA.MIT.EDU (Elia Pinto)
Wed May 12 09:42:51 2010
MIME-Version: 1.0
In-Reply-To: <1270911737.23242.29.camel@ray>
Date: Wed, 12 May 2010 15:42:41 +0200
Message-ID: <AANLkTil404g7-OyuHZgcrfToD_3cnStB6KqqrS1wUHWX@mail.gmail.com>
From: Elia Pinto <gitter.spiros@gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
2010/4/10 Greg Hudson <ghudson@mit.edu>:
> On Sat, 2010-04-10 at 05:28 -0400, Elia Pinto wrote:
>> I can get a TGS ftp /<KDC MVS hostname>@< KDC MVS REALMS> but it seems
>> that the client also requests a TGS host /<KDC MVS hostname>@< KDC MVS
>> REALMS> but this one is not defined on the KDC MVS and so the ftp
>> client logon fail.
>
> The ftp client tries to authenticate to ftp/hostname, then falls back to
> host/hostname if that fails. So, no, you don't need a host/hostname
> service, but you do have to figure out why the initial authentication is
> failing.
First of all, thanks for the fast replay. It was not easy to find the problem,
given that from the logs of Z / OS KDC looked like a kerberos problem. Instead
the true problem was that the Z/OS KDC was using code page IBM-1047
while the FTP server uses the code page IBM-280. And between the two
different code pages, in particular, the hexadecimal representation of
the @ character in IBM-280 matches the character §, and vice versa.
In particular in the ftp server configuration file 'ftp.env' was
defined as the variable:
LC_ALL = It_IT.IBM-280
While in the configuration file kdc 'envar' was defined in the variable:
LANG = En_US.IBM-1047
I have then changed the code page of the IBM ftp to IBM-1047.
And work perfectly.
Thanks again
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
