fetch 4.0 with kerberos and apple airport network

Alexandra Ellwood lxs at MIT.EDU
Mon Aug 26 17:55:00 EDT 2002

>When using Fetch 4.0 I get the following error message when I 
>attempt to connect to the Yale server:
>                                  Time is out of bounds (krb_rd_req)-20037.
>Some background.
>1) I am running Mac system 9.2.
>2) I do not get the problem when I am directly connected to my DSL 
>service (SNET-SBC). The problem only occurs when I am going through 
>the airport network.
>3) I am running airport 2.0.2.
>4) The problem (according to techs I have spoken to) has to do with 
>the synchronization between my computers internal time and the time 
>of the server. I have reset the time on my computer (in the date and 
>time control panel).
>5) This version of fetch is required to use Yale's kerberos 
>authentication protocol so I must use the version of fetch (4.0) 
>which I download from their site. I am not able to try other newer 
>versions of fetch.
>6) Previous versions of fetch also fail to connect.

Jim Matthews is correct.  Your problem is your base station's NAT feature.

Kerberos 4 incorrectly reports IP address problems as clock skew 
problems. Although the error claims your time is incorrect, in fact 
the ftp server is refusing your Mac because your Mac's local IP 
address and the IP address from which its packets come don't match.

Kerberos 5 supports the ability to get addressless tickets via the 
"noaddresses" option.  This allows most Kerberos 5 services to work 
with a NAT (there are some exceptions, such as GSS protocols which 
require channel bindings).

There is no way to turn off address checking for Kerberos 4. 
Kerberos 4 does not support NAT configurations.

Hope this helps,

Alexandra Ellwood                                               <lxs at mit.edu>
MIT Information Systems                               http://mit.edu/lxs/www/

More information about the krbdev mailing list