[OpenAFS] openafs, aklog, and NAT
Derek Atkins
warlord@MIT.EDU
26 Sep 2001 10:46:35 -0400
The only way I know of (and note: I have not tested this) is if you
configure an IP alias on your client that has the 'external' IP
address of the NAT box. For example, if you're using 10.0.0.0/24
inside, and your NAT box is 1.2.3.4, you should make an alias on your
client of 1.2.3.4 (just be sure not to route anything out that
interface). Then when you kinit, you'll get the NAT address in the
TGT, and all should be happy.
Note, I have not actually tried this exact experiment, however
experience shows that all local IP addrs are inserted into the tgt.
Other than that, I know of no good way to get kerberos to work with
NAT.
Good Luck,
-derek
"J. P. Mellor" <jpmellor@rose-hulman.edu> writes:
> Derek Atkins writes:
> > How does aklog fail?
> >
> > Note that krb5 does not deal well with NAT because of how IP Addresses
> > are encoded into tickets. Krb4 does not have this problem; so if you
> > wind up using the v4 aklog it should work, however, v5 may fail to
> > actually obtain the tickets.
> >
> > So, in what way does "kerberos" work on those machines behind NAT?
> > Yes, you can get your TGT, but can you get any OTHER service tickets?
>
> Okay, it sounds like I had a misunderstanding. When I said kerberos
> works, I ment that I can get a tgt ticket. aklog fails to get an afs
> token with the tgt ticket. If was guessing that the IP address
> figured into the equation somehow. At present, we don't have any
> other services to test with, but it sounds like the tgt ticket is the
> problem. I know this is getting a bit off topic, but is there any way
> to get krb5 and NAT to work together? Neither of these are my choice
> nor are they likely to change. Any suggestions (even if it requires a
> bit of hacking) would be appreciated.
>
> Thanks,
>
> jp
>
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available