how to propagate kerberos master db from behind NAT?

Stéger József steger at gawain.elte.hu
Fri Jul 13 15:52:05 EDT 2007 

Dear All,

I try to propagate the content of a master kerberos db to a slave kdc, 
and it fails with the following error:

kpropd: Incorrect net address while decoding database size from client

I googled for a solution in vain. I read through this list to find 
someone experiencing the same error message though I guess his situation 
is somewhat different. So I ask for a hint if someone can help me.

Here is the network layout, to have host names anonymized I'll use 
SLAVE, MASTER, etc.:

WAN
~~~
|
|  subnet of FQ IP addresses provided by ISP
-----------------
|              |
SLAVE          NAT-ROUTER (+firewall)
                |
                |  10.0.0.x/24 subnet
        -------------------------------------
        |         |         |        |      |
        MASTER    STORAGE   LOGIN    WEB    ...
        MAIL
        DNS

A few debian servers (and so the MASTER krb kdc) are installed with 
local IP addresses. From the outside they are seen with the same fully 
qualified IP address. Machines are working fine.

In SLAVE machine I would like to achieve authentication to the kerberos 
database served by the MASTER behind nat. At the moment we can simply 
run the kinit command without a problem. However, there might be cases 
of link failure between the NAT-ROUTER and the SLAVE making life very 
hard at the SLAVE then. So I think it would be wise to propagate 
regularly krb db content from the MASTER to the SLAVE machine.

At SLAVE the content of /etc/krb5kdc/kpropd.acl is: host/MASTER at REALM. 
It has up-to-date host/SLAVE at REALM key in the /etc/krb5.keytab as well.
I run kpropd in foreground debug mode, and in the meantime I launch 
kprop at the MASTER:

SLAVE:~# kpropd -S -d -a /etc/krb5kdc/kpropd.acl
Connection from NAT-ROUTER
krb5_recvauth(4, kprop5_01, host/SLAVE@, ...)
authenticated client: host/MASTER at REALM (etype == Triple DES cbc mode 
with HMAC/sha1)
kpropd: Incorrect net address while decoding database size from client

As I guess the problem is the following. From the content received 
during the conversation kpropd extracts that it is sent from MASTER, 
however, the packet level traffic shows NAT-ROUTER addresses on each IP 
packet. Since the two things do not match it will regard it as something 
nasty and stops transaction. Is it so?

Is there a nice way to solve propagation in such a case I describe?

Thank you for all yours help in advance.

Bests,
  József Stéger

More information about the Kerberos mailing list