can we FTP upload behind firewall and NAT - Kerberos

This is a discussion on can we FTP upload behind firewall and NAT - Kerberos ; Hi! Does anyone ever succeed upload files to a kerberised server from a compute node behind a firewall and NAT. Here's the error message. 1. I tried getting addressless credentials by doing 'kinit -n'. 2. However, ftp gives me following ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: can we FTP upload behind firewall and NAT

  1. can we FTP upload behind firewall and NAT

    Hi!

    Does anyone ever succeed upload files to a kerberised server from
    a compute node behind a firewall and NAT.

    Here's the error message.
    1. I tried getting addressless credentials by doing 'kinit -n'.
    2. However, ftp gives me following error.
    GSSAPI accepted as authentication type
    GSSAPI error major: Incorrect channel bindings were supplied
    GSSAPI error minor: No error
    GSSAPI error: accepting context
    GSSAPI ADAT failed
    GSSAPI authentication failed
    KERBEROS_V4 accepted as authentication type
    Kerberos V4 krb_mk_req failed: You have no tickets cached
    Name (fcdfdata114.fnal.gov:schsu): schsu
    Password:
    Login failed.
    Remote system type is UNIX.
    Using binary mode to transfer files.


    many thanks,

    Shih-Chieh
    ps I've tried that anonymous with passive mode allow me download file.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: can we FTP upload behind firewall and NAT

    Shih-Chieh

    You can use it behind a firewall if you switch off the channel binding. If I
    remember right the latest MIT sources don't use channel bindings anymore,
    Heimdal and proftpd with mod_gss have an option for the daemon to switch it
    off.

    The other problem you may have is that the FW can't inspect to PORT/PASV
    command anymore to open the right ports of a stateful firewall and to
    replace ports if needed.

    Regards
    Markus

    "Shih-Chieh Hsu" wrote in message
    news:427DBD95.5070906@fnal.gov...
    > Hi!
    >
    > Does anyone ever succeed upload files to a kerberised server from
    > a compute node behind a firewall and NAT.
    >
    > Here's the error message.
    > 1. I tried getting addressless credentials by doing 'kinit -n'.
    > 2. However, ftp gives me following error.
    > GSSAPI accepted as authentication type
    > GSSAPI error major: Incorrect channel bindings were supplied
    > GSSAPI error minor: No error
    > GSSAPI error: accepting context
    > GSSAPI ADAT failed
    > GSSAPI authentication failed
    > KERBEROS_V4 accepted as authentication type
    > Kerberos V4 krb_mk_req failed: You have no tickets cached
    > Name (fcdfdata114.fnal.gov:schsu): schsu
    > Password:
    > Login failed.
    > Remote system type is UNIX.
    > Using binary mode to transfer files.
    >
    >
    > many thanks,
    >
    > Shih-Chieh
    > ps I've tried that anonymous with passive mode allow me download file.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




+ Reply to Thread