>Further investigation by my Windows colleagues appears to reveal that >password changing fails only when issued from a NAT'ed private IP address. >This is true both for KfW and for native Windows Kerberos password >changing.
Password changing doesn't work behind a NAT. That's well-known (well, except that I guess not everyone knew that :-)). The reason is long and complicated (short answer: password changing uses a KRB_PRIV message, which has to have the source IP address in it, which always is wrong behind a NAT). This is not related to addressless tickets. But I thought that the Windows Kerberos password changing didn't use a KRB_PRIV message, so maybe I'm wrong. But the message you're getting is definately what I saw when I ran into this problem. Fixing this involves changing krb5_rd_priv() to ignore the source IP address in the KRB_PRIV message. You probably want to make this conditional, so that you only ignore it for password changing. You can look at the archives (maybe this was discussed on krbdev) for the ... "discussion" about this. My take: I don't believe there is a security problem with ignoring the IP address in KRB_PRIV messages for password changing, and the amount of code to make this work is small. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
