Slave KDC behind NAT, kprop failing

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Slave KDC behind NAT, kprop failing

David Broudy
Is it possible to propegate from a master KDC to a slave where the slave
is behind a NAT using just kprop and kpropd? has a externally routable IP bound to its interface. is an externally routable IP bound to a firewall and is
NATed to, which is a 10.x.x.x non routable IP
on the physical machine. is listed as an
extra_addresses on

In debugging, I get this from the master:
master# kprop -d
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server
Generic remote error: Wrong principal in request

And this on the slave:
slave# kpropd -dS
Connection from master.mydomain
krb5_recvauth(4, kprop5_01, host/[hidden email], ...)

I looked at the code in kpropd.c a little and it looks like it's just
reading the address from the interface, not using the libdefaults
extra_addresses, like maybe it should be, unless I misunderstand what
extra_addresses is for.

When the master was inside the firewall, kprop
worked fine. is listed in the kpropd.acl on

Thanks in advance,

Dave Broudy
[hidden email]
Phone: 303.278.0908      Mobile: 703.401.5955        Fax: 303.674.6840
AIM/YIM: dbroudy         Jabber: [hidden email]

Kerberos mailing list           [hidden email]