Kerberos 5 and NAT steven.mcelwee at
Thu Jun 20 15:33:51 EDT 2002

On Wed, 19 Jun 2002 21:42:40 +0000 (UTC), hartmans at (Sam
Hartman) wrote:

>Note that not using addresses seems to be the recommended direction
>within the Kerberos working group.  At least there was significant
>consensus that we wanted to move away from addresses at a meeting we
>had last February.
>Kerberos mailing list           Kerberos at

I have also heard that it is possible to add the option "noaddresses =
true" in the libdefaults section of the %SYSTEMROOT%\krb5.ini file
(I'm referring to NT, NT/2000)-

This seems to work in our environment where our PC clients are running
a krb5 v1.1.1 client. Similarly, our KDCs are running the same version
in a Solaris environment. Are there any security concerns with
bypassing addresses altogether? I expect not, but just want to check
with the experts to be sure.

thanks in advance,
Steven McElwee, Duke University

More information about the Kerberos mailing list