[OpenAFS] openafs, aklog, and NAT

Matthew Andrews mnandrews@lbl.gov
Wed, 26 Sep 2001 09:32:22 -0700


Derek Atkins wrote:

> The only way I know of (and note: I have not tested this) is if you
> configure an IP alias on your client that has the 'external' IP
> address of the NAT box.

There are two other solutions that I have seen reference to.

1) I have seen reference to a patch by Ken Hornstein(if you're listening, feel
free to speek up) which allows you to specify a "proxy_address = x.x.x.x" line
in your krb5.conf file, and adds that to the list of addresses that gets
requested when talking to the kdc.

2)there is a "noaddresses = true" entry which you can put into your krb5.conf
which causes kinit etc. to ask for tickets with no ip-addresses embeded in
them. the concern with this solution is that any tickets granted on this
machine can be used on any other machine. if you are living on an untrusted
network, it is likely that someone who has managed to steel a ticket could
spoof an IP anyways, so I'm not sure how much this really lowers your overall
security.

Not sure which solution will be best for you, but since I'd just spent the
last couple of days finding a solution for this problem myself, I figured I'd
share what I'd found.

-Matthew Andrews

> "J. P. Mellor" <jpmellor@rose-hulman.edu> writes:
>
> > Derek Atkins writes:
> >  > How does aklog fail?
> >  >
> >  > Note that krb5 does not deal well with NAT because of how IP Addresses
> >  > are encoded into tickets.  Krb4 does not have this problem; so if you
> >  > wind up using the v4 aklog it should work, however, v5 may fail to
> >  > actually obtain the tickets.
> >  >
> >  > So, in what way does "kerberos" work on those machines behind NAT?
> >  > Yes, you can get your TGT, but can you get any OTHER service tickets?
> >
> > Okay, it sounds like I had a misunderstanding.  When I said kerberos
> > works, I ment that I can get a tgt ticket.  aklog fails to get an afs
> > token with the tgt ticket.  If was guessing that the IP address
> > figured into the equation somehow.  At present, we don't have any
> > other services to test with, but it sounds like the tgt ticket is the
> > problem.  I know this is getting a bit off topic, but is there any way
> > to get krb5 and NAT to work together?  Neither of these are my choice
> > nor are they likely to change.  Any suggestions (even if it requires a
> > bit of hacking) would be appreciated.
> >
> > Thanks,
> >
> > jp
> >
> >
>
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info