[2779] in Kerberos-V5-bugs
krb5-appl/466: failure of ftpd for kerberos authentication
daemon@ATHENA.MIT.EDU (benjid@teamnet.net)
Thu Aug 28 12:48:29 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, benjid@teamnet.net
Date: Thu, 28 Aug 1997 11:40:54 -0500 (CDT)
From: benjid@teamnet.net
Reply-To: benjid@teamnet.net
To: krb5-bugs@MIT.EDU
>Number: 466
>Category: krb5-appl
>Synopsis: failure of ftpd for kerberos authentication
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Aug 28 12:42:01 EDT 1997
>Last-Modified:
>Originator: Ben Dehner
>Organization:
TEAM Technologies
>Release: 1.0pl1
>Environment:
System: IRIX media 6.2 03131015 IP22
>Description:
Brief: failure of Kerberos ftpd to authenticate
Expanded: Our company's domain name is "teamnet.net", and I have made our
Kerberos realm TEAMNET.NET. However, we have many dedicated client machines
which have names outside of this domain, e.g. "www.nk.com". ftpd fails
to do Kerberos authentication on this machine. (I have included this machine
in the "TEAMNET.NET" realm in /etc/krb5.conf.)
Diagnostics: I put the ftpd server in debug mode by adding the "-v" flag to
ftpd in the /etc/inetd.conf file. The following exceprt below are from a
client connect and from the syslog:
client:
---------------------------------------
media/benjid>/usr/local/bin/ftp www.nk.com
Connected to www.nk.com.
220 www FTP server (Version 5.60) ready.
334 Using authentication type GSSAPI; ADAT must follow
GSSAPI accepted as authentication type
GSSAPI error major: No error
GSSAPI error minor: No error
GSSAPI error: acquiring credentials
GSSAPI ADAT failed
GSSAPI authentication failed
Name (www.nk.com:benjid):
331 Password required for benjid.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.
-------------------------------------------------
Server, obtained from syslog: (I have deleted parts of the
"ADAT" string)
------------------------------------------------------
Aug 28 11:26:33 6D:www ftpd[17800]: connection from media.teamnet.net at Thu Aug 28 11:26:33 1997
Aug 28 11:26:33 7D:www ftpd[17800]: <--- 220
Aug 28 11:26:33 7D:www ftpd[17800]: www FTP server (Version 5.60) ready.
Aug 28 11:26:33 7D:www ftpd[17800]: command: <AUTH GSSAPI^M
Aug 28 11:26:33 5B:www >(13)
Aug 28 11:26:33 7D:www ftpd[17800]: <--- 334
Aug 28 11:26:33 7D:www ftpd[17800]: Using authentication type GSSAPI; ADAT must follow
Aug 28 11:26:33 7D:www ftpd[17800]: command: <ADAT YIIB3QYJKoZIhvcSAQICAQBuggHMM
Aug 28 11:26:33 5B:www YoxBWg0dspdGO0paQAnC6SazYhtgzVGPR4NCMGMp4hriMxjdDyNJ148Us
XkEFWnJbSf65x/TOffoE0MggVw0ua2cX+l4j0EHD
Aug 28 11:26:33 5B:www >(651)
Aug 28 11:26:33 6D:www ftpd[17800]: importing <ftp@www.teamnet.net>
Aug 28 11:26:33 6D:www ftpd[17800]: importing <host@www.teamnet.net>
Aug 28 11:26:33 7D:www ftpd[17800]: <--- 501-
Aug 28 11:26:33 7D:www ftpd[17800]: GSSAPI error major: No error
Aug 28 11:26:33 7D:www ftpd[17800]: <--- 501-
Aug 28 11:26:33 7D:www ftpd[17800]: GSSAPI error minor: No error
Aug 28 11:26:33 7D:www ftpd[17800]: <--- 501
Aug 28 11:26:33 7D:www ftpd[17800]: GSSAPI error: acquiring credentials
Aug 28 11:26:33 3D:www ftpd[17800]: gssapi error acquiring credentials
Aug 28 11:26:36 7D:www ftpd[17800]: command: <USER benjid^M
Aug 28 11:26:36 5B:www >(13)
Aug 28 11:26:36 7D:www ftpd[17800]: <--- 331
Aug 28 11:26:36 7D:www ftpd[17800]: Password required for benjid.
Aug 28 11:26:39 7D:www ftpd[17800]: command: <PASS nonehere^M
Aug 28 11:26:39 5B:www >(15)
Aug 28 11:26:39 7D:www ftpd[17800]: <--- 530
Aug 28 11:26:39 7D:www ftpd[17800]: Login incorrect.
Aug 28 11:26:39 7D:www ftpd[17800]: command: <SYST^M
Aug 28 11:26:39 5B:www >(6)
Aug 28 11:26:39 7D:www ftpd[17800]: <--- 215
Aug 28 11:26:39 7D:www ftpd[17800]: UNIX Type: L8
Aug 28 11:26:41 7D:www ftpd[17800]: command: <QUIT^M
Aug 28 11:26:41 5B:www >(6)
Aug 28 11:26:41 7D:www ftpd[17800]: <--- 221
Aug 28 11:26:41 7D:www ftpd[17800]: Goodbye.
-------------------------------------------------
IMO, the key here is the "importing" string -- for some reason it
appears that the ftpd is cannonicalizing the system name incorrectly
and searching for server authentication tickets for the system
"www.teamnet.net" instead of "www.nk.com". The latter name
alread has a principal entered into the database and local
keytab file.
>How-To-Repeat:
>Fix:
One work-around would be to re-name the machine with a new
"teamnet.net" identifier; this is somewhat impractical on high-availability
web servers which already have names of this form.
>Audit-Trail:
>Unformatted:
