Password Changing failing from Windows to MIT KDC

[Ken Hornstein]

>Further investigation by my Windows colleagues appears to reveal that 
>password changing fails only when issued from a NAT'ed private IP address. 
>This is true both for KfW and for native Windows Kerberos password 
>changing.

Password changing doesn't work behind a NAT.  That's well-known (well,
except that I guess not everyone knew that :-)).  The reason is long
and complicated (short answer: password changing uses a KRB_PRIV
message, which has to have the source IP address in it, which always is
wrong behind a NAT).  This is not related to addressless tickets.  But
I thought that the Windows Kerberos password changing didn't use a
KRB_PRIV message, so maybe I'm wrong.  But the message you're getting
is definately what I saw when I ran into this problem.

Fixing this involves changing krb5_rd_priv() to ignore the source IP
address in the KRB_PRIV message.  You probably want to make this
conditional, so that you only ignore it for password changing.  You can
look at the archives (maybe this was discussed on krbdev) for the ...
"discussion" about this.  My take: I don't believe there is a security
problem with ignoring the IP address in KRB_PRIV messages for password
changing, and the amount of code to make this work is small.

--Ken