Help: noaddresses help
Edgecombe, Jason
jwedgeco at uncc.edu
Mon Mar 10 09:07:38 EDT 2008
I part of the network is behind NAT, then using addressless tickets or
cross-realm authentication is the answer.
In the addressless case, your KDC must be seen from inside and outside
the NAT. I think in this case, the kdc must be dual-home on both
networks.
Put the following in the krb5.conf file in all client machines and put
the noaddresses line in the kdc config as well.
[libdefaults]
forwardable = true
noaddresses = true
In your case, all machine that people will ssh to from the gateway must
have host principals installed correctly to enable single sign-on.
If you pursue the cross-realm route, noaddresses may or may not be
necessary, but host principals are still necessary in addition to the
host principals.
Jason
Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
UNC-Charlotte
Phone: (704) 687-3514
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of jeetjoshi4u at gmail.com
Sent: Friday, March 07, 2008 6:13 AM
To: kerberos at mit.edu
Subject: Re: Help: noaddresses help
Hello Everyone,
I am still searching for any solution on the situation
described.
Hoping for any help.
Thank you
Jeet
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list