[Freeipa-users] Kerberos Password change limitation while behind a NAT
Marc Schlinger
marc.schlinger at agorabox.org
Thu Sep 30 14:05:52 UTC 2010
Hello all,
I cannot change a expired user password while behind a NAT.
The error I get is:
kpasswd[6756]: Failed to decrypt password: Incorrect net address
I believe this is a kerberos limitation due to the difference between
the host ip adress enclosed in the ticket - the host's rfc1918 address -
and the address used to communicate with the server - the router's
address. This setup is very common @home
There must be a way to disable the verification for kpasswd since it
works for other services. But it may have been set for security
purposes, so disabling it may introduce some flaws.
I know that ipa passwd can set the password by calling a special method
through xmlrpc, but if the client has no credential, he must retrieve
one - with kinit - before calling this method. And kinit will ask to
change the password.
My problem is, how can I handle the case where a user has a expired
password and is behind a NAT?
Thanks for all
Marc
More information about the Freeipa-users
mailing list