kprop trouble.

Nick Palmer nick at sluggardy.net
Mon Apr 12 22:27:50 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Hascall wrote:
|>There are a couple of things that I have been kicking around in my head
|>that may be causing the trouble. Will kprop work properly if the slave
|>KDC is behind a NATing firewall? I can't think of a reason why it should
|>matter, but I thought I would check.
|
|
|     Yes, NAT matters to Kerberos!  The authentication (by default)
|     contains the IP address which is verified.  You can add additional
|     addresses or ask for addressless tickets through your krb5.conf
|     configfile (addressless is the default in the latest versions).

Right, but does any other part of the protocol for kprop rely on not
being NATed? My kpropd gets past the authentication step, as I turned on
addressless tickets by default when I did the initial setup. It errors
out recieving the database size, which made me wonder if there was
something else going on. I will try moving the slave out in front of the
firewall though and report back on what I find. It looks like I may have
to dig through the kprop code to figure this one out though.

Thanks for your help,
- -Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAe1AmWRxj7DCRpGURApUQAKC8zAYDAKGmkRPv16esL9l+9HqXYgCgysN0
b4t60DCai+KHbpKeteMBbHQ=
=Xthg
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list