Patch for MIT-Kerberos kpasswd in a NAT environment

frd_mueller@web.de frd_mueller at web.de
Thu Dec 21 09:48:04 EST 2006


> -----Ursprüngliche Nachricht-----
> Von: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> Gesendet: 15.12.06 22:24:52
> An: frd_mueller at web.de
> CC: kerberos at mit.edu
> Betreff: Re: using MIT-Kerberos in an NAT environment 


> >We are using kerberos v5 authentication for a centrally hosted
> >application. Some sites now have to be attached via NAT due to
> >overlap in IP address ranges. We got the same problem as mantioned
> >below at password changes ([MitKerberosChangePasswordService : 148]
> >Server error: Failed decrypting request).
> >
> >Is there a work around to use a central kerberos authentication instance
> >with locations attached via NAT. Using cross realm authentication seems not
> >to be a practical solution, as  more small sites may have to be attached
> >and administration of the user accounts should be central. 
> 
> For years I have been running with a small change to the Kerberos
> server that allows password changing to work when the client is
> behind a NAT.  That is a reasonable option, IMHO (as opposed to
> waiting an unspecified amount of time for the implementation of a
> new password change protocol, and then waiting an even longer unspecified
> time for that protocol to be deployed).
> 
> --Ken
> 

Could you tell me, where to do the modification of the sources? We already tried to set the parameter
noaddress = true in the krb5.conf file of the kdc. With this stetting all kdc services work with NAT. 

As this does not change the behaviour concerning password changes, I suppose the kadmind / kpasswdd does not evaluate this parameter.

Thanks

F. Mueller




More information about the Kerberos mailing list