Is it possible to propegate from a master KDC to a slave where the slave
is behind a NAT using just kprop and kpropd?
master.broudy.net has a externally routable IP bound to its interface.
slave.broudy.net is an externally routable IP bound to a firewall and is
NATed to slave.internal.broudy.net, which is a 10.x.x.x non routable IP
on the physical machine. slave.broudy.net is listed as an
extra_addresses on slave.internal.broudy.net.
In debugging, I get this from the master:
master# kprop -d slave.broudy.net
kprop: Server rejected authentication (during sendauth exchange) while
authenticating to server
Generic remote error: Wrong principal in request
And this on the slave:
slave# kpropd -dS
Connection from master.mydomain
krb5_recvauth(4, kprop5_01, host/[hidden email], ...)
I looked at the code in kpropd.c a little and it looks like it's just
reading the address from the interface, not using the libdefaults
extra_addresses, like maybe it should be, unless I misunderstand what
extra_addresses is for.
When the master was inside the firewall, kprop slave.internal.broudy.net
worked fine. master.broudy.net is listed in the kpropd.acl on