Subject: | NAT causes password change to fail with Bad Address |
Date: | Fri, 27 Jan 2006 17:17:09 -0800 |
From: | "Nate Yocom" <nate.yocom@centrify.com> |
To: | <krb5-bugs@mit.edu> |
When the kdc is behind a nat, the source address in the change password
packet sent to the client is incorrect (has the actual address, not the
nat'd address) - which causes krb5_rd_priv_basic() to fail with
KRB5KRB_AP_ERR_BADDADDR. This patch adds a krb5.conf option
"passwd_check_s_address" which when set to "no" disables this check,
allowing password changes through a NAT to succeed. All default
behavior is maintained when otherwise set to true (the default).
Nate Yocom
Senior Software Engineer
Centrify Corporation
425.462.5894
www.centrify.com
packet sent to the client is incorrect (has the actual address, not the
nat'd address) - which causes krb5_rd_priv_basic() to fail with
KRB5KRB_AP_ERR_BADDADDR. This patch adds a krb5.conf option
"passwd_check_s_address" which when set to "no" disables this check,
allowing password changes through a NAT to succeed. All default
behavior is maintained when otherwise set to true (the default).
Nate Yocom
Senior Software Engineer
Centrify Corporation
425.462.5894
www.centrify.com
Message body not shown because it is not plain text.