Lately I seem to be the only one contributing to this thread - I hope I am not boring everyone... While on the subject, has anyone looked at packaging "heimdal-0.1g"? It is meant to be a "freely available version of kerberos V", and AFAIK isn't developed in USA, hence doesn't have any export restrictions. It hasn't been officially announced [released] yet though, but as is at <http://www.pdc.kth.se/heimdal/> (from comp.protocols.kerberos FAQ). To me, it looks like they are working kerberos V5 support into kerberos4kth. I haven't yet got it going ;-), but the coding standard looks good (eg full autoconf, automake, and libtool support). It also has X support (ie kx and kxd), which the MIT version is lacking. Documentation is... well... err... what documentation? ;-) There are two mailing lists for the project, see above URL. On Sat, Jun 26, 1999 at 08:40:20PM +1000, Brian May wrote: > I have found this irratating problem, with kerberos V - kinit doesn't work > on a remote computer to the KDC, it only seems to work on the KDC. I > have straced and tcpdumped it and everything looks fine at the program > level, but the kernel rejects a valid(??) UDP packet for no good reason > (that I can see). I found the problem! > This is the tcpdump: > 20:26:25.814454 dewey.chocbit.org.au.1942 > snoopy.apana.org.au.kerberos: v5 > 20:26:25.834454 snoopy.chocbit.org.au.kerberos > dewey.chocbit.org.au.1942: v5 > 20:26:25.834454 dewey.chocbit.org.au > snoopy.chocbit.org.au: icmp: dewey.chocbit.org.au udp port 1942 unreachable [tos 0xc0] Here it is - the server replied from the address "snoopy.chocbit.org.au" instead for "snoopy.apana.org.au". See the attached E-Mail for a description I found of what went wrong. > 20:26:26.814454 dewey.chocbit.org.au.1943 > snoopy.apana.org.au.kerberos4: v5 Here the client got confused and didn't realize the packet was for it because the source address was wrong. -- Brian May <bam@snoopy.apana.org.au>
--- Begin Message ---
- Subject: Re: Multi-homed KDCs
- From: kenh@cmf.nrl.navy.mil (Ken Hornstein)
- Date: 10 May 1999 20:48:43 -0400
- Message-id: <7h7upb$g87@fermi.cmf.nrl.navy.mil>
- References: <7h2pui$hmu$1@agate.berkeley.edu>
In article <7h2pui$hmu$1@agate.berkeley.edu>, Mike Friedman <mikef@ack.berkeley.edu> wrote: >Are there any 'gotchas' supporting multi-homed KDCs? I know about the >DNS issues with (kerberized) application servers. But are there any >additional problems when the multi-homed hosts are the KDCs themselves? The MIT KDC doesn't quite work right on a multihomed machine. By that I mean that the KDC binds to INADDR_ANY so that in some cases (e.g., if you have asymmetric routing) it will send a reply packet who's source address doesn't match the requests packet's destination address. I have patches that fix this (basically, the KDC is changed so it binds to every interface). Oh, v5passwdd doesn't quite work right either (IIRC, it only binds to the first IP address associated with a machine). --Ken
--- End Message ---
Attachment:
pgp9dKYClnCHJ.pgp
Description: PGP signature