[Freeipa-users] Kerberos Password change limitation while behind a NAT
Simo Sorce
ssorce at redhat.com
Thu Sep 30 16:30:36 UTC 2010
On Thu, 30 Sep 2010 16:05:52 +0200
Marc Schlinger <marc.schlinger at agorabox.org> wrote:
> Hello all,
>
> I cannot change a expired user password while behind a NAT.
> The error I get is:
>
> kpasswd[6756]: Failed to decrypt password: Incorrect net address
>
> I believe this is a kerberos limitation due to the difference between
> the host ip adress enclosed in the ticket - the host's rfc1918
> address - and the address used to communicate with the server - the
> router's address. This setup is very common @home
>
> There must be a way to disable the verification for kpasswd since it
> works for other services. But it may have been set for security
> purposes, so disabling it may introduce some flaws.
>
> I know that ipa passwd can set the password by calling a special
> method through xmlrpc, but if the client has no credential, he must
> retrieve one - with kinit - before calling this method. And kinit
> will ask to change the password.
>
> My problem is, how can I handle the case where a user has a expired
> password and is behind a NAT?
You can use ldappasswd too, either with GSSAPI auth or eventually even
with plaintext auth (require using SSL) in that case though you will
neeed to know the user DN.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list