On 4/22/2010 12:17 PM, Ken Raeburn wrote: > On Apr 21, 2010, at 12:32, Jeff Blaine wrote: >> My KDC preauth plugin wants to connect back to a service on >> the client host. >> >> So I guess I'm screwed as far as making this a KDC-side-only >> plugin? > > Just as an aside, you realize this would presumably fail if the client's behind a NAT, too? Yes