using MIT-Kerberos in an NAT environment
frd_mueller@web.de
frd_mueller at web.de
Fri Dec 15 10:09:49 EST 2006
I refer to the message below.
We are using kerberos v5 authentication for a centrally hosted application. Some sites now have to be attached via NAT due to overlap in IP address ranges. We got the same problem as mantioned below at password changes ([MitKerberosChangePasswordService : 148] Server error: Failed decrypting request).
Are there any specific schedules / time scales for the new set/change password protocol?
Is there a work around to use a central kerberos authentication instance with locations attached via NAT. Using cross realm authentication seems not to be a practical solution, as more small sites may have to be attached and administration of the user accounts should be central.
Thanks
F. Mueller
> Date: Fri, 18 Aug 2006 06:35:08 GMT
> From: Jeffrey Altman <jaltman2 at nyc.rr.com>
> Subject: Re: kpasswd: Failed decrypting request
> To: kerberos at MIT.EDU
> Message-ID: <44E5600F.5040409 at nyc.rr.com>
>
> petesea at bigfoot.com wrote:
>> Using krb5-1.4.3 on a Redhat system and I get the following error from
>> kpasswd:
>>
>> Failed decrypting request
>>
>> The admin server is accessed via VPN/NAT and from the sparse info I
>> could find, I suspect that's the issue. DNS does show that my VPN IP
>> matches the hostname.
>>
>> Questions...
>>
>> Is that the cause of the error?
>>
>> Are there plans to fix this?
>>
>> If there are no plans to fix it (or it can't be fixed)... is there any
>> possibility the error message could be a bit more descriptive?
>>
>> I'm trying to deploy kerberos to a large number of users, many will be
>> accessing our systems via the VPN and I'm sure this will be an issue.
>
> You cannot use the MIT kpasswd through a NAT. The IP address of the client as seen by the server must match the one the client sees.
>
> When the IETF completes the new set/change password protocol I'm sure that MIT will consider implementing it.
>
> Jeffrey Altman
______________________________________________________________________________
"Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de
Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!
More information about the Kerberos
mailing list