Slave KDC behind NAT, kprop failing
Dave Broudy
dave at broudy.net
Sun Dec 11 00:54:31 EST 2005
Is it possible to propegate from a master KDC to a slave where the slave
is behind a NAT using just kprop and kpropd?
master.broudy.net has a externally routable IP bound to its interface.
slave.broudy.net is an externally routable IP bound to a firewall and is
NATed to slave.internal.broudy.net, which is a 10.x.x.x non routable IP
on the physical machine. slave.broudy.net is listed as an
extra_addresses on slave.internal.broudy.net.
In debugging, I get this from the master:
master# kprop -d slave.broudy.net
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server
Generic remote error: Wrong principal in request
And this on the slave:
slave# kpropd -dS
Connection from master.mydomain
krb5_recvauth(4, kprop5_01, host/slave.internal.broudy.net at BROUDY.NET, ...)
I looked at the code in kpropd.c a little and it looks like it's just
reading the address from the interface, not using the libdefaults
extra_addresses, like maybe it should be, unless I misunderstand what
extra_addresses is for.
When the master was inside the firewall, kprop slave.internal.broudy.net
worked fine. master.broudy.net is listed in the kpropd.acl on
slave.internal.broudy.net.
Thanks in advance,
Dave
--
Dave Broudy
dave at broudy.net
http://www.broudy.net/
Phone: 303.278.0908 Mobile: 703.401.5955 Fax: 303.674.6840
AIM/YIM: dbroudy Jabber: dbroudy at jabber.org
More information about the Kerberos
mailing list