[27139] in Kerberos
using MIT-Kerberos in an NAT environment
daemon@ATHENA.MIT.EDU (frd_mueller@web.de)
Fri Dec 15 15:42:38 2006
Date: Fri, 15 Dec 2006 16:09:49 +0100
Message-Id: <471256109@web.de>
MIME-Version: 1.0
From: frd_mueller@web.de
To: jaltman2@nyc.rr.com, kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-15"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
I refer to the message below.
We are using kerberos v5 authentication for a centrally hosted application. Some sites now have to be attached via NAT due to overlap in IP address ranges. We got the same problem as mantioned below at password changes ([MitKerberosChangePasswordService : 148] Server error: Failed decrypting request).
Are there any specific schedules / time scales for the new set/change password protocol?
Is there a work around to use a central kerberos authentication instance with locations attached via NAT. Using cross realm authentication seems not to be a practical solution, as more small sites may have to be attached and administration of the user accounts should be central.
Thanks
F. Mueller
> Date: Fri, 18 Aug 2006 06:35:08 GMT
> From: Jeffrey Altman <jaltman2@nyc.rr.com>
> Subject: Re: kpasswd: Failed decrypting request
> To: kerberos@MIT.EDU
> Message-ID: <44E5600F.5040409@nyc.rr.com>
>
> petesea@bigfoot.com wrote:
>> Using krb5-1.4.3 on a Redhat system and I get the following error from
>> kpasswd:
>>
>> Failed decrypting request
>>
>> The admin server is accessed via VPN/NAT and from the sparse info I
>> could find, I suspect that's the issue. DNS does show that my VPN IP
>> matches the hostname.
>>
>> Questions...
>>
>> Is that the cause of the error?
>>
>> Are there plans to fix this?
>>
>> If there are no plans to fix it (or it can't be fixed)... is there any
>> possibility the error message could be a bit more descriptive?
>>
>> I'm trying to deploy kerberos to a large number of users, many will be
>> accessing our systems via the VPN and I'm sure this will be an issue.
>
> You cannot use the MIT kpasswd through a NAT. The IP address of the client as seen by the server must match the one the client sees.
>
> When the IETF completes the new set/change password protocol I'm sure that MIT will consider implementing it.
>
> Jeffrey Altman
______________________________________________________________________________
"Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de
Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
