Can't use NAT
Douglas E. Engert
deengert at anl.gov
Fri Sep 27 17:11:01 EDT 2002
Donn Cave wrote:
> Quoth "Douglas E. Engert" <deengert at anl.gov>:
> | Alexandra Ellwood wrote:
> |> Protocols use GSSAPI and require channel bindings (such as some ftp
> |> servers) will also not work even if you have addressless Kerberos 5
> |> tickets because channel bindings contain IP address information.
> | If you realy want FTP to work (really gssapi on WIN32) as well, we have a mod:
> At present (in 1.2.6), a site that wants to support NAT to GSS ftp
> on UNIX only needs to replace the channel binding parameter to
> gss_accept_security_context() with GSS_C_NO_CHANNEL_BINDINGS, right?
I think its more then that the client and server check each other.
So both would have to turn off channel bindings. There was some talk about
They don't actually send the IP addresses, but rather a checksum
of the addresses.
> Would it be a good idea for that to be the standard in future releases,
> or at least a flag option as submitted by Steven Michaud 8 Aug 2001?
Sounds good to me. There was some talk about using speical initiator
and aceptor generic addreses at one time.
> Donn Cave, donn at u.washington.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev