From smch@kilroy.uchicago.edu Thu Apr 11 11:54:05 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id LAA20020
for <bugs@RT-11.mit.edu>; Thu, 11 Apr 2002 11:54:05 -0400 (EDT)
Received: from kilroy.uchicago.edu (kilroy.uchicago.edu [128.135.99.99])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA13652
for <krb5-bugs@mit.edu>; Thu, 11 Apr 2002 11:54:04 -0400 (EDT)
Received: (from smch@localhost)
by kilroy.uchicago.edu (8.11.6+Sun/8.11.6) id g3BFs4P03836;
Thu, 11 Apr 2002 10:54:04 -0500 (CDT)
Message-Id: <200204111554.g3BFs4P03836@kilroy.uchicago.edu>
Date: Thu, 11 Apr 2002 10:54:04 -0500 (CDT)
From: smch@midway.uchicago.edu
Reply-To: smch@midway.uchicago.edu
To: krb5-bugs@mit.edu
Subject: ftp clients can't connect to ftpd over a NAT
X-Send-Pr-Version: 3.99
Networking Services and Information Technologies
System: SunOS kilroy.uchicago.edu 5.8 Generic_108529-13 i86pc i386 i86pc
Architecture: i86pc
over a NAT server, the connection always fails. This is true even if
you're using addressless tickets. The message "failed accepting
context" appears in the system log of the server.
krbdev list (number 7042) would work. So would Sam Hartman's
suggestion (4-11, number 7046) to simply turn off all address checking
in ftpd (presumably by having it always specify
GSS_C_NO_CHANNEL_BINDINGS to gss_accept_context()). Sam Hartman's
suggestion is much simpler, and I actually now prefer it to either of
my own.
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Thu Apr 11 16:41:02 2002
State-Changed-Why:
I've removed the channel bindings from the ftpd accept_sec_context call on the mainline branche.
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id LAA20020
for <bugs@RT-11.mit.edu>; Thu, 11 Apr 2002 11:54:05 -0400 (EDT)
Received: from kilroy.uchicago.edu (kilroy.uchicago.edu [128.135.99.99])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA13652
for <krb5-bugs@mit.edu>; Thu, 11 Apr 2002 11:54:04 -0400 (EDT)
Received: (from smch@localhost)
by kilroy.uchicago.edu (8.11.6+Sun/8.11.6) id g3BFs4P03836;
Thu, 11 Apr 2002 10:54:04 -0500 (CDT)
Message-Id: <200204111554.g3BFs4P03836@kilroy.uchicago.edu>
Date: Thu, 11 Apr 2002 10:54:04 -0500 (CDT)
From: smch@midway.uchicago.edu
Reply-To: smch@midway.uchicago.edu
To: krb5-bugs@mit.edu
Subject: ftp clients can't connect to ftpd over a NAT
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1087
>Category: krb5-appl
>Synopsis: ftp clients can't connect to ftpd over a NAT
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 11 11:55:00 EDT 2002
>Last-Modified: Thu Apr 11 16:41:39 EDT 2002
>Originator: Steven Michaud
>Organization:
University of Chicago>Category: krb5-appl
>Synopsis: ftp clients can't connect to ftpd over a NAT
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Apr 11 11:55:00 EDT 2002
>Last-Modified: Thu Apr 11 16:41:39 EDT 2002
>Originator: Steven Michaud
>Organization:
Networking Services and Information Technologies
Show quoted text
>Release: krb5-1.2.4
>Environment:
>Environment:
System: SunOS kilroy.uchicago.edu 5.8 Generic_108529-13 i86pc i386 i86pc
Architecture: i86pc
Show quoted text
>Description:
If you try to connect to the MIT ftpd from a client that's connectedover a NAT server, the connection always fails. This is true even if
you're using addressless tickets. The message "failed accepting
context" appears in the system log of the server.
Show quoted text
>How-To-Repeat:
See "Description"Show quoted text
>Fix:
Either of the two fixes contained in my message of 4-10-2002 to thekrbdev list (number 7042) would work. So would Sam Hartman's
suggestion (4-11, number 7046) to simply turn off all address checking
in ftpd (presumably by having it always specify
GSS_C_NO_CHANNEL_BINDINGS to gss_accept_context()). Sam Hartman's
suggestion is much simpler, and I actually now prefer it to either of
my own.
Show quoted text
>Audit-Trail:
State-Changed-From-To: open-closed
State-Changed-By: hartmans
State-Changed-When: Thu Apr 11 16:41:02 2002
State-Changed-Why:
I've removed the channel bindings from the ftpd accept_sec_context call on the mainline branche.
Show quoted text
>Unformatted: