On 06/04/2015 09:45 PM, Ken Hornstein wrote: > I haven't tried that combination, but from memory the issue is that > the kpasswd protocol uses a KRB-PRIV message and the issue was that > you can't omit an IP address from it (let me check ... yes, the sender's > address is not optional in a KRB-PRIV message). You could run kpasswd > under a debugger to figure out what the "wrong" address is. But I suspect > it would be just easier to modify the MIT client to ignore the IP address > on the KRB-PRIV on the reply message.
Yes; we did that for 1.13. We had already made the corresponding change to the server in 1.10. http://krbdev.mit.edu/rt/Ticket/Display.html?id=7886 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6979 >> The kpasswd protocol is horrible. > > +1 I don't think of it as all that bad, but we should probably try it over TCP first, as the UDP protocol is subject to erroneously treating retransmits as replays. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
