PKINIT and NAT

Douglas E. Engert deengert at anl.gov
Thu May 5 11:36:57 EDT 2011



On 5/4/2011 10:33 PM, Bram Cymet wrote:
> Hi,
>
> I am having this odd problem where if I do a kinit from behind a nat
> with a password it works just fine. However if I use certs with pkinit
> then I can see all the verification being done and I can see the server
> granting the ticket but then when it goes to send back the ticket to the
> client it can't reach the client any more and fails.
>
> Is this a known problem? Is there anything I can do to fix it?

Is this some UDP timeout issue or UDP vs TCP issue?

In the krb5.conf file you can force TCP with:
  udp_preference_limit = 1


>
> Thanks,

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list