Interesting problem with Kerberos IPv6 support

Ken Hornstein kenh at
Fri Jun 25 15:49:51 EDT 2004

I've recently been testing the IPv6 support in more recent versions of
Kerberos, and I've run into an interesting problem.

Host "A" has the newer version of Kerberos, with the IPv6 support, and
has an IPv6 address.  The KDC also will respond to requests on the
IPv6 interface.

Person on host "B" an has older version of Kerberos that is not IPv6
aware.  They connect to host "A" with their favorite Kerberos utility,
and use it to forward their tickets across.  However ... because the
tickets forwarded across from host B only have the IPv4 addresses in
them, when you try to use the tickets, you get the accursed "Incorrect
Net Address", because the client code on host A will use IPv6 to contact
the KDC.

I've been trying to come up with a reasonable way of dealing with this
issue that doesn't involve enforced client upgrades.  Anyone got any


More information about the krbdev mailing list