Can't use NAT

Douglas E. Engert deengert at
Fri Sep 27 17:11:01 EDT 2002

Donn Cave wrote:
> Quoth "Douglas E. Engert" <deengert at>:
> | Alexandra Ellwood wrote:
> ...
> |> Protocols use GSSAPI and require channel bindings (such as some ftp
> |> servers) will also not work even if you have addressless Kerberos 5
> |> tickets because channel bindings contain IP address information.
> |
> | If you realy want FTP to work (really gssapi on WIN32) as well, we have a mod:
> At present (in 1.2.6), a site that wants to support NAT to GSS ftp
> on UNIX only needs to replace the channel binding parameter to
> gss_accept_security_context() with GSS_C_NO_CHANNEL_BINDINGS, right?

I think its more then that the client and server check each other.
So both would have to turn off channel bindings. There was some talk about 
They don't actually send the IP addresses, but rather a checksum
of the addresses. 

> Would it be a good idea for that to be the standard in future releases,
> or at least a flag option as submitted by Steven Michaud 8 Aug 2001?

Sounds good to me. There was some talk about using speical initiator
and aceptor generic addreses at one time. 

>         Donn Cave, donn at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the krbdev mailing list