fetch 4.0 with kerberos and apple airport network

John Halle john.halle at pop.snet.net
Mon Aug 26 12:11:00 EDT 2002 

Hi,

The first posting describes a problem I am having with kerberized 
fetch (on the Yale server).  The second posting is a response from 
Jim Matthews who recommended that I send the question to this list.

I was hoping someone here might have insight into the problem.

Could you please email the response to me directly since I'm not 
subscribed to the kerberos list.

Thanks

John Halle
Assistant Prof. Music
Yale University

First posting:

When using Fetch 4.0 I get the following error message when I attempt 
to connect to the Yale server:

                                  Time is out of bounds (krb_rd_req)-20037.

Some background.

1) I am running Mac system 9.2.
2) I do not get the problem when I am directly connected to my DSL 
service (SNET-SBC). The problem only occurs when I am going through 
the airport network.
3) I am running airport 2.0.2.
4) The problem (according to techs I have spoken to) has to do with 
the synchronization between my computers internal time and the time 
of the server. I have reset the time on my computer (in the date and 
time control panel).
5) This version of fetch is required to use Yale's kerberos 
authentication protocol so I must use the version of fetch (4.0) 
which I download from their site. I am not able to try other newer 
versions of fetch.
6) Previous versions of fetch also fail to connect.

                                  Any help would be hugely appreciated.

                                  Thanks,

                                  John

Second posting:

From:
      JimMatthews
      Administrator
                                     posted 08-26-2002 11:19 AM


                                         quote:

2) I do not get the problem when I am directly connected to my DSL 
service (SNET-SBC). The problem only occurs when I am going through 
the airport network.


                                  I have also had trouble using 
Kerberos through a router (such as an Airport base station) that 
performs network address translation (NAT). The Kerberos protocol 
includes information about your IP address, and if you are going 
through NAT it will look to the serveras if your connection is coming 
from the wrong address. There is a Kerberos configuration option, 
"noaddresses", that is intended to make it possible to bypass this 
address check. I have not had success using it, but it's something to 
bring up with the folks at Yale.

                                  I don't know how the NAT problem 
could manifest itself as an error about time synchronization. If you 
are still stuck you might post a question to the krbdev at mit.edu 
mailing list; the real Kerberos experts hang out there.

                                  Thanks,

                                  Jim Matthews
                                  Fetch Softworks
--

More information about the krbdev mailing list