kadmin and NAT
Mike Friedman
mikef at ack.Berkeley.EDU
Wed Jul 14 12:08:42 EDT 2004
I'm sure this has been discussed here before, but I can't seem to find
what I'm looking for in the list archives.
Simply put: can kadmin be made to work from behind a NAT?
I figured the issue was addressless tickets, so I thought that the
following might work, but apparently it doesn't:
o Get an addressless ticket for kadmin/admin
o Get an addressless ticket for the admin principal
o Run 'kadmin -c <ccachename>
I'm reporting the results second hand. The user has done the above (more
than once) per my instructions, and receives the following error message
every time:
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface
And my KDC logs show no indication that the user connected to kadmind
during this time. (But he has no problem getting a TGT with kinit, so I
assume his krb5.conf file is pointing to my KDC properly).
The user is running on a Redhat Linux EL 3.0 system and has tried both the
Redhat packaged version of kadmin (supposedly based on MIT K5 1.2.7) and
also, he says, with MIT 1.3.4 which he installed himself. And, of course,
I've given the user limited admin privileges (all he wants to do is
download keytab info for a specific service principal, which I've
registered).
Perhaps we have a different problem, but NAT seems to be the cause. Any
ideas?
Thanks.
Mike
------------------------------------------------------------------------------
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
------------------------------------------------------------------------------
More information about the Kerberos
mailing list