fetch 4.0 with kerberos and apple airport network
Alexandra Ellwood
lxs at MIT.EDU
Mon Aug 26 17:55:00 EDT 2002
>When using Fetch 4.0 I get the following error message when I
>attempt to connect to the Yale server:
>
> Time is out of bounds (krb_rd_req)-20037.
>
>Some background.
>
>1) I am running Mac system 9.2.
>2) I do not get the problem when I am directly connected to my DSL
>service (SNET-SBC). The problem only occurs when I am going through
>the airport network.
>3) I am running airport 2.0.2.
>4) The problem (according to techs I have spoken to) has to do with
>the synchronization between my computers internal time and the time
>of the server. I have reset the time on my computer (in the date and
>time control panel).
>5) This version of fetch is required to use Yale's kerberos
>authentication protocol so I must use the version of fetch (4.0)
>which I download from their site. I am not able to try other newer
>versions of fetch.
>6) Previous versions of fetch also fail to connect.
Jim Matthews is correct. Your problem is your base station's NAT feature.
Kerberos 4 incorrectly reports IP address problems as clock skew
problems. Although the error claims your time is incorrect, in fact
the ftp server is refusing your Mac because your Mac's local IP
address and the IP address from which its packets come don't match.
Kerberos 5 supports the ability to get addressless tickets via the
"noaddresses" option. This allows most Kerberos 5 services to work
with a NAT (there are some exceptions, such as GSS protocols which
require channel bindings).
There is no way to turn off address checking for Kerberos 4.
Kerberos 4 does not support NAT configurations.
Hope this helps,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list