Slave KDC behind NAT, kprop failing

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Slave KDC behind NAT, kprop failing

David Broudy
Is it possible to propegate from a master KDC to a slave where the slave
is behind a NAT using just kprop and kpropd?

master.broudy.net has a externally routable IP bound to its interface.
slave.broudy.net is an externally routable IP bound to a firewall and is
NATed to slave.internal.broudy.net, which is a 10.x.x.x non routable IP
on the physical machine. slave.broudy.net is listed as an
extra_addresses on slave.internal.broudy.net.

In debugging, I get this from the master:
master# kprop -d slave.broudy.net
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server
Generic remote error: Wrong principal in request

And this on the slave:
slave# kpropd -dS
Connection from master.mydomain
krb5_recvauth(4, kprop5_01, host/[hidden email], ...)

I looked at the code in kpropd.c a little and it looks like it's just
reading the address from the interface, not using the libdefaults
extra_addresses, like maybe it should be, unless I misunderstand what
extra_addresses is for.

When the master was inside the firewall, kprop slave.internal.broudy.net
worked fine. master.broudy.net is listed in the kpropd.acl on
slave.internal.broudy.net.

Thanks in advance,
Dave

--
Dave Broudy
[hidden email]
http://www.broudy.net/
Phone: 303.278.0908      Mobile: 703.401.5955        Fax: 303.674.6840
AIM/YIM: dbroudy         Jabber: [hidden email]

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos