[27140] in Kerberos
Re: using MIT-Kerberos in an NAT environment
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Dec 15 16:24:46 2006
Message-Id: <200612152124.kBFLO6Mv017252@ginger.cmf.nrl.navy.mil>
To: frd_mueller@web.de
In-Reply-To: <471256109@web.de>
Date: Fri, 15 Dec 2006 16:24:05 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>We are using kerberos v5 authentication for a centrally hosted
>application. Some sites now have to be attached via NAT due to
>overlap in IP address ranges. We got the same problem as mantioned
>below at password changes ([MitKerberosChangePasswordService : 148]
>Server error: Failed decrypting request).
>
>Is there a work around to use a central kerberos authentication instance
>with locations attached via NAT. Using cross realm authentication seems not
>to be a practical solution, as more small sites may have to be attached
>and administration of the user accounts should be central.
For years I have been running with a small change to the Kerberos
server that allows password changing to work when the client is
behind a NAT. That is a reasonable option, IMHO (as opposed to
waiting an unspecified amount of time for the implementation of a
new password change protocol, and then waiting an even longer unspecified
time for that protocol to be deployed).
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
