GSS authentication propblem with proftpd and mod_gss
Brought to you by:
mamoeller
Menu
▾
▴
#5 GSS authentication propblem with proftpd and mod_gss
Hello,
i have a problem using kerberos authentication with proftpd 1.3.5.
When i try to authenticate from ftp client, authentication fails :
GSSAPI Error major: An invalid name was supplied
It seems to have problems between server name, DNS and kerberos
it works on Redhat 5.3 with proftpd, kerberos,
it works on redhat 6.4 with proftpd without kerberos in IPA environment
Any idea?
How i can have more debug information for proftpd and mod_gss ?
Thanks for your help!
Guillaume Helle
mog_gss.log :
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Auth GSSAPI requested, ADAT must
follow
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Ignore Channel Binding
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Set
KRB5_KTNAME=FILE:/appli/proftpd//etc/proftpd.keytab
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Importing service
ftp@::ffff:10.222.52.12
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error major: An invalid name was
supplied
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error minor:
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error: could not acquire credential
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Importing service
host@::ffff:10.222.52.12
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error major: An invalid name was
supplied
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error minor:
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error: could not acquire credential
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error major: An invalid name was
supplied
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error minor:
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Error: Error acquiring credentials
proftpd.log :
2016-04-11 14:13:36,850 [19303] <fsio:8>: using system read() for path
'/appli/proftpd/etc/proftpd.conf' (4096 bytes)
2016-04-11 14:13:36,850 [19303] <fsio:8>: using system close() for path
'/appli/proftpd/etc/proftpd.conf'
2016-04-11 14:13:36,850 [19303] <dns:10>: resolving name
'ak-mf-mpfcc-01.mf.int.mcc' to IP address
2016-04-11 14:13:36,850 [19303] <dns:7>: attempting to resolve
'ak-mf-mpfcc-01.mf.int.mcc' to IPv4 address via DNS
2016-04-11 14:13:36,850 [19303] <dns:7>: resolved 'ak-mf-mpfcc-01.mf.int.mcc'
to IPv4 address 10.222.52.12
2016-04-11 14:13:36,850 [19303] <dns:5>: stashed IP address '10.222.52.12' for
name 'ak-mf-mpfcc-01.mf.int.mcc' in the netaddr IP cache
2016-04-11 14:13:36,850 [19303] <dns:5>: stashed IP address '10.222.52.12' for
name '10.222.52.12' in the netaddr IP cache
2016-04-11 14:13:36,850 [19303] <dns:7>: attempting to resolve
'ak-mf-mpfcc-01.mf.int.mcc' to IPv6 address via DNS
2016-04-11 14:13:36,851 [19303] <dns:1>: IPv6 getaddrinfo
'ak-mf-mpfcc-01.mf.int.mcc' error: Name or service not known
2016-04-11 14:13:36,851 [19303] <dns:4>: using IP address '10.222.52.12' from
netaddr IP cache for name '10.222.52.12'
2016-04-11 14:13:36,851 [19303] <event:8>: dispatching event 'core.postparse'
to mod_gss (at 0x4768a0, use cache = false)
2016-04-11 14:13:36,851 [19303] <signal:5>: signals blocked
2016-04-11 14:13:36,851 [19303] <signal:5>: signals unblocked
2016-04-11 14:13:36,851 [19303] <signal:5>: signals blocked
2016-04-11 14:13:36,851 [19303] <signal:5>: signals unblocked
2016-04-11 14:13:36,851 [19303] <event:8>: dispatching event 'core.postparse'
to mod_delay (at 0x46dbf0, use cache = false)
2016-04-11 14:13:36,851 [19303] <event:8>: dispatching event 'core.postparse'
to mod_log (at 0x46b370, use cache = false)
2016-04-11 14:13:36,851 [19303] <event:8>: dispatching event 'core.postparse'
to mod_rlimit (at 0x457620, use cache = false)
2016-04-11 14:13:36,851 [19303] <signal:5>: signals blocked
2016-04-11 14:13:36,851 [19303] <signal:5>: signals unblocked
2016-04-11 14:13:36,851 [19303] <signal:5>: signals blocked
2016-04-11 14:13:36,851 [19303] <signal:5>: signals unblocked
2016-04-11 14:13:36,851 [19303] <auth:6>: dispatching auth request "getgroups"
to module mod_auth_file
2016-04-11 14:13:36,851 [19303] <auth:6>: dispatching auth request "getgroups"
to module mod_auth_unix
2016-04-11 14:13:36,851 [19303] <auth:4>: using getgrouplist(3) to look up
group membership
2016-04-11 14:13:36,852 [19303] <signal:5>: signals blocked
ftp console :
Looking up ak-mf-mpfcc-01.mf.int.mcc...
Connecting to ak-mf-mpfcc-01.mf.int.mcc at port 21...
Connected to ak-mf-mpfcc-01.mf.int.mcc ([10.222.52.12]:21).
<-- [ak-mf-mpfcc-01.mf.int.mcc] 220 Serveur FTP OK
remote address: 10.222.52.12
local address: 10.222.52.8
Trying GSSAPI...
--> [ak-mf-mpfcc-01.mf.int.mcc] AUTH GSSAPI
<-- [ak-mf-mpfcc-01.mf.int.mcc] 334 Using authentication type GSSAPI; ADAT must
follow
Trying to authenticate to ftp@ak-mf-mpfcc-01.mf.int.mcc
--> [ak-mf-mpfcc-01.mf.int.mcc] ADAT
YIIErwYJKoZIhvcSAQICAQBuggSeMIIEmqADAgEFoQMCAQ6iBwMFACAAAACjggE+YYIBOjCCATagAwIBBaEMGwpNRi5JTlQuTUNDoiswKaADAgEDoSIwIBsDZnRwGxlhay1tZi1tcGZjYy0wMS5tZi5pbnQubWNjo4HzMIHwoAMCAQGhAwIBA6KB4wSB4Jx9CSPPr1zjMx0M76f2IDcWMPuQd+OTuCZnvlgUsaU5tDC7LV/l3z3919ZmqM/oDpWtmA4WezjFEJijqiLf45dXmWZ8dcbyAFturRex1p6m0OYStZsiXv9FQVYXS6RFK/4T4UZ4N8dt/5LPASO/RH+cNl5k2Ax1MUfh9GOAIhtWWFrZExB89fV7v7ckLQ8rnPtV7XmBmX5Gfg64rOjAE+vTmztGBIDZdLlFqo7k5mbBR+r+tOleuEwb6QTvz3P+tZUZRAIapyY7aB7Q8qTpJhwa9jY3227le7L4sstZq8LSpIIDQTCCAz2gAwIBAaKCAzQEggMw7D5G0Y4u0JT+x3JKnFOGLAFdcSL/9XWM1TgflRfJaMvvM7ebdOqBbGL2kC8mEAddcRXXOsC2iNJ9JTT0XCAwr+Sz4s+Jwx7Ql5512bUtWcOBUDwST40obB35ivUZEbaiXNcF9P1IJVHgg88sBQ3uzornfUS1aPjWZcouUVEGp6S17oRa1q2nkZf2y3roNGaj5s3IZpUW1qQyeUSQYoXDMofc4UZU1vdl4UaCsybdDy4RciqkiASSAHkfsP6rgHmmPmY2QGsbfhkoGh5yoBV7Sfh+TZdKkY5Ns7mrYHxVWazBpeb5TMibJmx0w8JbAyiT5hl/B4Y/U9FKWXOZTy+WM2piyq9Oilj54acJNHgphSV0gpezD+UfWY0y8jW/kTQzdwjaG9lYAHEJ5698NdcxntzqaDoTfPaGIf3Qo7ZM1wL4RpX2tMxRQN0WAslwamTacfl0cgGAOnfz6MJkAgmK/pDqS+WZWDCuW5oovc/xtCnnrUGIBehwFFTpNVsVXY8wMD1jCzcJTSrZcETfF0qTVXyti+/JBCtN8PwZfV/ftfvFqGp/p0wuQyBOz3zqDAS39UbAwjkLJ0ExCsTd1fxAG6vrKRqMaR94z1I+eeNjP6LGyu1ODdSPbgIuWdgTDpPP4ZmkL9o0RpjzT++GvUArQl6geNqNaBRT+VJMDrsPkbXEJGtK2aTUXFOz2EValRBPzWzzt/gVDNRs6NOa7hwchWm1zugD1WuQC7HuJjLBw5acKOPI5swRCZEiu/88veeZHTwk65u4/+Ctd1l36VriBJrXMMAFenTFdDyuEJMQR4FDmjit0/1tHmVm4RVbj1PYzycK6umgMWnhhTU9vUFtpPs90EGBxfXrgEbuukNZu7mIIQ0cj5MyvVJ5uV8jxgVw+Q9WHPUunY1DASL/dwPql3QHEw1ucGY8JIIPgo9WLXXf1I46AFMIKoD8WQkkG09ZwF+1Q23kUf3kSLua3XLoXsgITp3Z/8CIc8Et8Rl0ldCSjDZky3POv/nv8oCIYWJUKF2iRvVHFFuhvaLH7/owzcEFTrEEBM0uDJQjfrjzDFHQ/WfqXRC6JerFDOW1DAel
Server has closed control connection
Error: expected ADAT in reply. got:
Using plaintext username and password
Hi Guillaume,
I already replied to this on the proftpd bugzilla system.
You seem to have a DNS setup problem on the server.
2016-04-11 14:13:36,851 [19303] <dns:1>: IPv6 getaddrinfo
'ak-mf-mpfcc-01.mf.int.mcc' error: Name or service not known
why it tries to use a principal with a v8 IP instead of the name
Mar 21 13:40:31 mod_gss/1.3.4[6734]: GSSAPI Importing service
ftp@::ffff:10.222.52.12
Markus