Hi! Douglas,

Yes. I've tried passive but still faild.
Only USER anonymous succeed login. However, I can only download file.

Shih-Chieh

Douglas E. Engert wrote:

> Have you tried "passive"?
>
> Shih-Chieh Hsu wrote:
>
>> Hi!
>>
>> Does anyone ever succeed upload files to a kerberised server from
>> a compute node behind a firewall and NAT.
>>
>> Here's the error message.
>> 1. I tried getting addressless credentials by doing 'kinit -n'.
>> 2. However, ftp gives me following error.
>> GSSAPI accepted as authentication type
>> GSSAPI error major: Incorrect channel bindings were supplied
>> GSSAPI error minor: No error
>> GSSAPI error: accepting context
>> GSSAPI ADAT failed
>> GSSAPI authentication failed
>> KERBEROS_V4 accepted as authentication type
>> Kerberos V4 krb_mk_req failed: You have no tickets cached
>> Name (fcdfdata114.fnal.gov:schsu): schsu
>> Password:
>> Login failed.
>> Remote system type is UNIX.
>> Using binary mode to transfer files.
>>
>>
>> many thanks,
>>
>> Shih-Chieh
>> ps I've tried that anonymous with passive mode allow me download file.
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Shih-Chieh Hsu wrote:
> Hi! Douglas,
>
> Yes. I've tried passive but still faild.
> Only USER anonymous succeed login. However, I can only download file.
>

Looking closer, there is a channel binding message. This is similiar
to the addrssses in tickets, but is done by the applications passing
the binding information (i.e. the endpoint addresses) to gss.

I think newer versions of the FTP and FTPD can work without the
channel bindings, but older versions of FTPD may not. Its really upto the
client and server to agree on the use of channel bindings, and they
pass these to GSS. We had a mod to init_sec_context.c for windows at
one time to try and use the NAT box address in the bindings
(I remember seeing something similar on the mailing list too,
and there was discussion about using something like 0.0.0.1 and 0.0.0.2
as the endpoints.)

init_sec_context.c:


/* compute the hash of the channel bindings */

+#ifdef _WIN32
+ /*
+ * Many times we are behind a firewall which is doing NAT
+ * such as at home on a PC.
+ * If the KRB5NATADDR is set, and our initiator addr starts
+ * with 198, and the acceptor address does not, i.e. its
+ * outside the firewall, we will then replace the initator
+ * address with the KRB5NATADDR.
+ */
+ if (chan_bindings != GSS_C_NO_CHANNEL_BINDINGS
+ && chan_bindings->initiator_addrtype == GSS_C_AF_INET
+ && chan_bindings->acceptor_addrtype == GSS_C_AF_INET
+ && chan_bindings->initiator_address.length == 4
+ && chan_bindings->acceptor_address.length == 4
+ && *((unsigned char *)chan_bindings->initiator_address.value) == 192
+ && *(((unsigned char *)chan_bindings->initiator_address.value)+1) == 168
+ && *((unsigned char *)chan_bindings->acceptor_address.value) != 192
+ && *(((unsigned char *)chan_bindings->acceptor_address.value)+1) != 168) {
+ char * ncp;
+ int i,n;
+ if (ncp = getenv("KRB5NATADDR")) {
+ for (i=0; i<4; i++) {
+ n = 0;
+ while (*ncp >= '0' && *ncp <='9') {
+ n = n*10 + *ncp -'0';
+ ncp++;
+ }
+ if (*ncp) ncp++;
+ nataddr[i] = n;
+ }
+ saved_addr = chan_bindings->initiator_address.value;
+ chan_bindings->initiator_address.value = nataddr;
+ }
+ }
+#endif
+
if ((code = kg_checksum_channel_bindings(context, chan_bindings, &md5, 0)))
return(code);
+#ifdef _WIN32
+ if (saved_addr) {
+ chan_bindings->initiator_address.value = saved_addr;
+ }
+#endif

krb5_auth_con_set_req_cksumtype(context, ctx->auth_context,
CKSUMTYPE_KG_CB);


> Shih-Chieh
>
> Douglas E. Engert wrote:
>
>> Have you tried "passive"?
>>
>> Shih-Chieh Hsu wrote:
>>
>>> Hi!
>>>
>>> Does anyone ever succeed upload files to a kerberised server from
>>> a compute node behind a firewall and NAT.
>>>
>>> Here's the error message.
>>> 1. I tried getting addressless credentials by doing 'kinit -n'.
>>> 2. However, ftp gives me following error.
>>> GSSAPI accepted as authentication type
>>> GSSAPI error major: Incorrect channel bindings were supplied

Yes this looks like the address are being added.

>>> GSSAPI error minor: No error
>>> GSSAPI error: accepting context
>>> GSSAPI ADAT failed
>>> GSSAPI authentication failed
>>> KERBEROS_V4 accepted as authentication type
>>> Kerberos V4 krb_mk_req failed: You have no tickets cached
>>> Name (fcdfdata114.fnal.gov:schsu): schsu
>>> Password:
>>> Login failed.
>>> Remote system type is UNIX.
>>> Using binary mode to transfer files.
>>>
>>>
>>> many thanks,
>>>
>>> Shih-Chieh
>>> ps I've tried that anonymous with passive mode allow me download file.
>>>
>>> ________________________________________________
>>> Kerberos mailing list Kerberos@mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>
>>
>
>
>
>

--

Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos