Can't use NAT
Douglas E. Engert
deengert at anl.gov
Fri Sep 27 16:09:01 EDT 2002
Alexandra Ellwood wrote:
>
> >Kerbeoros can be used with NAT if one of two things are done:
> >
> > . the public address to the NAT device is added to the list of
> > addresses for which the ticket is valid.
> >
> > . the tickets are requested without addresses
>
> Protocols use GSSAPI and require channel bindings (such as some ftp
> servers) will also not work even if you have addressless Kerberos 5
> tickets because channel bindings contain IP address information.
If you realy want FTP to work (really gssapi on WIN32) as well, we have a mod:
374 /*
375 * Many times we are behind a firewall which is doing NAT
376 * such as at home on a PC.
377 * If the KRB5NATADDR is set, and our initiator addr starts
378 * with 198, and the acceptor address does not, i.e. its
379 * outside the firewall, we will then replace the initator
380 * address with the KRB5NATADDR.
381 */
>
> Additionally, some protocols include their own copy of the host IP
> address. These services will not work behind a NAT regardless of
> whether or not they use Kerberos. An example that comes to mind is
> Zephyr.
>
> We are working on adding an FAQ about NATs to the Kerberos for Macintosh pages.
>
> Hope this helps,
>
> --lxs
> --
> -----------------------------------------------------------------------------
> Alexandra Ellwood <lxs at mit.edu>
> MIT Information Systems http://mit.edu/lxs/www/
> -----------------------------------------------------------------------------
> --
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> http://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list