From smch@kilroy.uchicago.edu Thu Apr 11 11:54:05 2002 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id LAA20020 for ; Thu, 11 Apr 2002 11:54:05 -0400 (EDT) Received: from kilroy.uchicago.edu (kilroy.uchicago.edu [128.135.99.99]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA13652 for ; Thu, 11 Apr 2002 11:54:04 -0400 (EDT) Received: (from smch@localhost) by kilroy.uchicago.edu (8.11.6+Sun/8.11.6) id g3BFs4P03836; Thu, 11 Apr 2002 10:54:04 -0500 (CDT) Message-Id: <200204111554.g3BFs4P03836@kilroy.uchicago.edu> Date: Thu, 11 Apr 2002 10:54:04 -0500 (CDT) From: smch@midway.uchicago.edu Reply-To: smch@midway.uchicago.edu To: krb5-bugs@mit.edu Subject: ftp clients can't connect to ftpd over a NAT X-Send-Pr-Version: 3.99 >Number: 1087 >Category: krb5-appl >Synopsis: ftp clients can't connect to ftpd over a NAT >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: closed >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Thu Apr 11 11:55:00 EDT 2002 >Last-Modified: Thu Apr 11 16:41:39 EDT 2002 >Originator: Steven Michaud >Organization: University of Chicago Networking Services and Information Technologies >Release: krb5-1.2.4 >Environment: System: SunOS kilroy.uchicago.edu 5.8 Generic_108529-13 i86pc i386 i86pc Architecture: i86pc >Description: If you try to connect to the MIT ftpd from a client that's connected over a NAT server, the connection always fails. This is true even if you're using addressless tickets. The message "failed accepting context" appears in the system log of the server. >How-To-Repeat: See "Description" >Fix: Either of the two fixes contained in my message of 4-10-2002 to the krbdev list (number 7042) would work. So would Sam Hartman's suggestion (4-11, number 7046) to simply turn off all address checking in ftpd (presumably by having it always specify GSS_C_NO_CHANNEL_BINDINGS to gss_accept_context()). Sam Hartman's suggestion is much simpler, and I actually now prefer it to either of my own. >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: hartmans State-Changed-When: Thu Apr 11 16:41:02 2002 State-Changed-Why: I've removed the channel bindings from the ftpd accept_sec_context call on the mainline branche. >Unformatted: