fetch 4.0 with kerberos and apple airport network

Ron DiNapoli rd29 at cornell.edu
Tue Aug 27 07:08:01 EDT 2002

On Monday, August 26, 2002, at 05:54 PM, Alexandra Ellwood wrote:

>> When using Fetch 4.0 I get the following error message when I attempt  
>> to connect to the Yale server:
>>                                  Time is out of bounds  
>> (krb_rd_req)-20037.
>> Some background.
>> 1) I am running Mac system 9.2.
>> 2) I do not get the problem when I am directly connected to my DSL  
>> service (SNET-SBC). The problem only occurs when I am going through  
>> the airport network.
>> 3) I am running airport 2.0.2.
>> 4) The problem (according to techs I have spoken to) has to do with  
>> the synchronization between my computers internal time and the time  
>> of the server. I have reset the time on my computer (in the date and  
>> time control panel).
>> 5) This version of fetch is required to use Yale's kerberos  
>> authentication protocol so I must use the version of fetch (4.0)  
>> which I download from their site. I am not able to try other newer  
>> versions of fetch.
>> 6) Previous versions of fetch also fail to connect.
> Jim Matthews is correct.  Your problem is your base station's NAT  
> feature.
> Kerberos 4 incorrectly reports IP address problems as clock skew  
> problems. Although the error claims your time is incorrect, in fact  
> the ftp server is refusing your Mac because your Mac's local IP  
> address and the IP address from which its packets come don't match.

> Kerberos 5 supports the ability to get addressless tickets via the  
> "noaddresses" option.  This allows most Kerberos 5 services to work  
> with a NAT (there are some exceptions, such as GSS protocols which  
> require channel bindings).
> There is no way to turn off address checking for Kerberos 4. Kerberos  
> 4 does not support NAT configurations.

The original K4 spec (at least any that I have seen) would have you  
believe that K4 will not work from behind a NAT.  In fact, we could  
argue that a properly implemented K4 service would absolutely not work  
from behind a NAT.   Fact is, many K4 services DO work from behind a  
NAT, including the Ticket Granting Service itself!    In fact, I am  
sending this message from Apple's Mail.app program under Jaguar from  
behind  NAT and it works just fine.    I've also used telnet and a slew  
of Cornell "in house" kerberized applications without issue.   The only  
kerberized service I've come across which did not work from behind a  
NAT was the kerberized CVS service!  I haven't tried ftp, so I can't  
speak for that service...

--Ron D.

> Hope this helps,
> --lxs
> --  
> ----------------------------------------------------------------------- 
> ------
> Alexandra Ellwood                                                
> <lxs at mit.edu>
> MIT Information Systems                                
> http://mit.edu/lxs/www/
> ----------------------------------------------------------------------- 
> ------
> --
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev

More information about the krbdev mailing list