Slave KDC behind NAT, kprop failing

Dave Broudy dave at broudy.net
Sun Dec 11 00:54:31 EST 2005


Is it possible to propegate from a master KDC to a slave where the slave 
is behind a NAT using just kprop and kpropd?

master.broudy.net has a externally routable IP bound to its interface. 
slave.broudy.net is an externally routable IP bound to a firewall and is 
NATed to slave.internal.broudy.net, which is a 10.x.x.x non routable IP 
on the physical machine. slave.broudy.net is listed as an 
extra_addresses on slave.internal.broudy.net.

In debugging, I get this from the master:
master# kprop -d slave.broudy.net
kprop: Server rejected authentication (during sendauth exchange) while 
authenticating to server
Generic remote error: Wrong principal in request

And this on the slave:
slave# kpropd -dS
Connection from master.mydomain
krb5_recvauth(4, kprop5_01, host/slave.internal.broudy.net at BROUDY.NET, ...)

I looked at the code in kpropd.c a little and it looks like it's just 
reading the address from the interface, not using the libdefaults 
extra_addresses, like maybe it should be, unless I misunderstand what 
extra_addresses is for.

When the master was inside the firewall, kprop slave.internal.broudy.net 
worked fine. master.broudy.net is listed in the kpropd.acl on 
slave.internal.broudy.net.

Thanks in advance,
Dave

-- 
Dave Broudy
dave at broudy.net
http://www.broudy.net/
Phone: 303.278.0908      Mobile: 703.401.5955        Fax: 303.674.6840
AIM/YIM: dbroudy         Jabber: dbroudy at jabber.org



More information about the Kerberos mailing list