using MIT-Kerberos in an NAT environment

frd_mueller@web.de frd_mueller at web.de
Fri Dec 15 10:09:49 EST 2006 

I refer to the message below.

We are using kerberos v5 authentication for a centrally hosted application. Some sites now have to be attached via NAT due to overlap in IP address ranges. We got the same problem as mantioned below at password changes ([MitKerberosChangePasswordService : 148]  Server error: Failed decrypting request). 

Are there any specific schedules / time scales for the new set/change password protocol?

Is there a work around to use a central kerberos authentication instance with locations attached via NAT. Using cross realm authentication seems not to be a practical solution, as  more small sites may have to be attached and administration of the user accounts should be central. 

Thanks 

F. Mueller




> Date: Fri, 18 Aug 2006 06:35:08 GMT
> From: Jeffrey Altman <jaltman2 at nyc.rr.com>
> Subject: Re: kpasswd: Failed decrypting request
> To: kerberos at MIT.EDU
> Message-ID: <44E5600F.5040409 at nyc.rr.com>
>
> petesea at bigfoot.com wrote:
>> Using krb5-1.4.3 on a Redhat system and I get the following error from
>> kpasswd:
>> 
>>    Failed decrypting request
>> 
>> The admin server is accessed via VPN/NAT and from the sparse info I 
>> could find, I suspect that's the issue.  DNS does show that my VPN IP 
>> matches the hostname.
>> 
>> Questions...
>> 
>> Is that the cause of the error?
>> 
>> Are there plans to fix this?
>> 
>> If there are no plans to fix it (or it can't be fixed)... is there any 
>> possibility the error message could be a bit more descriptive?
>> 
>> I'm trying to deploy kerberos to a large number of users, many will be 
>> accessing our systems via the VPN and I'm sure this will be an issue.
>
> You cannot use the MIT kpasswd through a NAT.  The IP address of the client as seen by the server must match the one the client sees.
>
> When the IETF completes the new set/change password protocol I'm sure that MIT will consider implementing it.
>
> Jeffrey Altman


______________________________________________________________________________
"Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de
Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!

More information about the Kerberos mailing list