[27151] in Kerberos
Patch for MIT-Kerberos kpasswd in a NAT environment
daemon@ATHENA.MIT.EDU (frd_mueller@web.de)
Thu Dec 21 16:54:03 2006
Date: Thu, 21 Dec 2006 15:48:04 +0100
Message-Id: <481991600@web.de>
MIME-Version: 1.0
From: frd_mueller@web.de
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-15"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> -----Ursprüngliche Nachricht-----
> Von: Ken Hornstein <kenh@cmf.nrl.navy.mil>
> Gesendet: 15.12.06 22:24:52
> An: frd_mueller@web.de
> CC: kerberos@mit.edu
> Betreff: Re: using MIT-Kerberos in an NAT environment
> >We are using kerberos v5 authentication for a centrally hosted
> >application. Some sites now have to be attached via NAT due to
> >overlap in IP address ranges. We got the same problem as mantioned
> >below at password changes ([MitKerberosChangePasswordService : 148]
> >Server error: Failed decrypting request).
> >
> >Is there a work around to use a central kerberos authentication instance
> >with locations attached via NAT. Using cross realm authentication seems not
> >to be a practical solution, as more small sites may have to be attached
> >and administration of the user accounts should be central.
>
> For years I have been running with a small change to the Kerberos
> server that allows password changing to work when the client is
> behind a NAT. That is a reasonable option, IMHO (as opposed to
> waiting an unspecified amount of time for the implementation of a
> new password change protocol, and then waiting an even longer unspecified
> time for that protocol to be deployed).
>
> --Ken
>
Could you tell me, where to do the modification of the sources? We already tried to set the parameter
noaddress = true in the krb5.conf file of the kdc. With this stetting all kdc services work with NAT.
As this does not change the behaviour concerning password changes, I suppose the kadmind / kpasswdd does not evaluate this parameter.
Thanks
F. Mueller
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
