[OpenAFS] openafs, aklog, and NAT
J. P. Mellor
jpmellor@rose-hulman.edu (J.P. Mellor)
Wed, 26 Sep 2001 09:03:12 -0500
Derek Atkins writes:
> How does aklog fail?
>
> Note that krb5 does not deal well with NAT because of how IP Addresses
> are encoded into tickets. Krb4 does not have this problem; so if you
> wind up using the v4 aklog it should work, however, v5 may fail to
> actually obtain the tickets.
>
> So, in what way does "kerberos" work on those machines behind NAT?
> Yes, you can get your TGT, but can you get any OTHER service tickets?
Okay, it sounds like I had a misunderstanding. When I said kerberos
works, I ment that I can get a tgt ticket. aklog fails to get an afs
token with the tgt ticket. If was guessing that the IP address
figured into the equation somehow. At present, we don't have any
other services to test with, but it sounds like the tgt ticket is the
problem. I know this is getting a bit off topic, but is there any way
to get krb5 and NAT to work together? Neither of these are my choice
nor are they likely to change. Any suggestions (even if it requires a
bit of hacking) would be appreciated.
Thanks,
jp