Can't use NAT
Alexandra Ellwood
lxs at MIT.EDU
Fri Sep 27 13:46:01 EDT 2002
>Kerbeoros can be used with NAT if one of two things are done:
>
> . the public address to the NAT device is added to the list of
> addresses for which the ticket is valid.
>
> . the tickets are requested without addresses
To clarify, the above refers to Kerberos v5 protocols.
For Kerberos for Macintosh, we recommend users add "noaddresses =
true" to their [libdefaults] section of edu.mit.Kerberos. This will
request addressless Kerberos 5 tickets which work behind a NAT.
Unfortunately, you can't get addressless Kerberos 4 tickets, so
Kerberos 4 protocols do not work behind a NAT.
You many find that some clients work erratically: some clients may be
able to connect to some servers but not others. This is because
Kerberos 4 hashes the client and server addresses. Sometimes the NAT
address and the real address of the machine may happen to hash to the
same value. However, there is no way to make Kerberos 4 work
reliably with all NATed clients and servers, so we typically tell end
users that it doesn't work at all to save them the frustration. I
only mention this detail because some users will report that it works
for them. These users are getting lucky.
Protocols use GSSAPI and require channel bindings (such as some ftp
servers) will also not work even if you have addressless Kerberos 5
tickets because channel bindings contain IP address information.
Additionally, some protocols include their own copy of the host IP
address. These services will not work behind a NAT regardless of
whether or not they use Kerberos. An example that comes to mind is
Zephyr.
We are working on adding an FAQ about NATs to the Kerberos for Macintosh pages.
Hope this helps,
--lxs
--
-----------------------------------------------------------------------------
Alexandra Ellwood <lxs at mit.edu>
MIT Information Systems http://mit.edu/lxs/www/
-----------------------------------------------------------------------------
--
More information about the krbdev
mailing list