[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_krb* modules on multihomes boxes



The AS returns a TGT with the client's requested IP addresses listed as
the valid addresses from which the ticket can be used.

The fact that you actually get an initial ticket but fail to get other
tickets later indicates that your gateway is asking for the wrong set of
IP addresses in the AS request.

Two things can be the cause of this, AFAIK:

1) incorrect setup of the hosts name service on the host

2) NAT _between_ the host and the KDC

The setup of the hosts name service on the gateway should be such that
gethostbyname() on the gateway's hostname returns the either the
inside IP address (the one the KDC sees) or all the gateway's IP
addresses.

If you can't fix the problem you can always hack pam_krb5 so you can
specify additional IP addresses to include in the AS request via
arguments to auth pam_krb5.

Nico


On Tue, Oct 10, 2000 at 09:31:27PM -0400, Wes Brown wrote:
> On Tue, Oct 10, 2000 at 06:06:30PM +0100, Mayers, Philip J wrote:
> > There are known difficulties with multihomed kerberos boxes. Try this:
> > 
> > http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#multihomed
> > http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbdns
> > 
> > Regards,
> > Phil
> 
> Thank you for the information, but I can kinit from the system in question
> and my TGT is received fine.  I believe the pam_krb5 module authenticates
> the user by whether or not a TGT can be retrieved from the KDC.
> 
> Wes
> --- 
> Wes Brown
> ewb4@po.cwru.edu		wes@smellycat.com
> http://prozac.cwru.edu/wes/About.me.html
> KB8TGR
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
--





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []