kprop/kpropd and NAT -- are addressless tickets the ticket?
Leonard J. Peirce
peirce at unix.cc.wmich.edu
Fri Jul 2 23:38:06 EDT 2004
For reference: this is Kerberos 1.2.8 running on Solaris 8.
We're having some challenges using kprop and kadmin ever since we
moved our master KDC inside a load balancer/firewall. They are
two separate problems but both are related to the load balancer/
firewall. I talked to Ken Raeburn about this a while back (thanks
Ken!) but even then wasn't really sure I understood the problem;
I hoping that now I have a clearer picture of what's happening.
I'll save my questions about kadmin for another post. For kprop
I'm hoping someone out there can confirm or deny my suspicions
before I upgrade all of our KDC's (something I probably should
do anyway).
The master KDC inside the load balancer is trying to propagate to
a slave that lives outside. We're running NAT on the way out of
the load balancer to hide the IP addresses of everything inside
of it. When the slave receives the connection it sees the
connecting address to be the NATted one from the outside interface
of the load balancer. A crude diagram (the hostnames and IP addresses
have been changed to protect the innocent :-):
+----------------------+
| Master |
| KDC |
| |
| mkdc.admin.private |
| 192.168.1.10 |
+--------+-------------+
|
<--------------------------+--+---------------------------->
|
+---------+---------+
| 192.168.1.1 |
| lb.admin.private |
| |
| load balancer |
| NAT |
| |
| auth.domain.com |
| 35.132.10.22 |
+------------+------+
|
<-----------------------------+--+------------------------->
|
+-----------+----------+
| 35.132.133.15 |
| skdc.domain.com |
| |
| Slave |
| KDC |
+----------------------+
The ticket used by kprop on the master KDC would contain the host
name (mkdc.admin.private), the IP address (192.168.1.10), and the
principal (host/mkdc.admin.private).
By the time the connection is made from the master KDC to the slave
the IP address of the master is NATted from 192.168.1.10 to
35.132.10.22. The ticket is presented to kpropd on the slave which sees
the originating IP address of 35.132.10.22, decodes the ticket, sees
that the IP address (35.132.10.22) does not match the address in the
ticket, and dies.
Since we're using NAT *and* since there is no flag to kprop that is
equivalent to the -A flag to kinit it appears there is no way to make
propagation work in a NATted environment without using addressless
tickets. And that means upgrading to 1.3.x. Or did I miss something?
On a related note I found this posting from Tom Yu which talks a bit
about this topic:
http://mailman.mit.edu/pipermail/kerberos/2004-April/005148.html
Any help anyone can provide would of course be greatly appreciated.
__
Leonard J. Peirce Email: leonard.peirce at wmich.edu
Senior UNIX System Administrator
Western Michigan University
Office of Information Technology
Kalamazoo, MI 49008 Phone: (269) 387-5430
More information about the Kerberos
mailing list