Patch for MIT-Kerberos kpasswd in a NAT environment
frd_mueller@web.de
frd_mueller at web.de
Thu Dec 21 09:48:04 EST 2006
> -----Ursprüngliche Nachricht-----
> Von: Ken Hornstein <kenh at cmf.nrl.navy.mil>
> Gesendet: 15.12.06 22:24:52
> An: frd_mueller at web.de
> CC: kerberos at mit.edu
> Betreff: Re: using MIT-Kerberos in an NAT environment
> >We are using kerberos v5 authentication for a centrally hosted
> >application. Some sites now have to be attached via NAT due to
> >overlap in IP address ranges. We got the same problem as mantioned
> >below at password changes ([MitKerberosChangePasswordService : 148]
> >Server error: Failed decrypting request).
> >
> >Is there a work around to use a central kerberos authentication instance
> >with locations attached via NAT. Using cross realm authentication seems not
> >to be a practical solution, as more small sites may have to be attached
> >and administration of the user accounts should be central.
>
> For years I have been running with a small change to the Kerberos
> server that allows password changing to work when the client is
> behind a NAT. That is a reasonable option, IMHO (as opposed to
> waiting an unspecified amount of time for the implementation of a
> new password change protocol, and then waiting an even longer unspecified
> time for that protocol to be deployed).
>
> --Ken
>
Could you tell me, where to do the modification of the sources? We already tried to set the parameter
noaddress = true in the krb5.conf file of the kdc. With this stetting all kdc services work with NAT.
As this does not change the behaviour concerning password changes, I suppose the kadmind / kpasswdd does not evaluate this parameter.
Thanks
F. Mueller
More information about the Kerberos
mailing list