On Wed, 2004-09-22 at 20:12 -0400, Ken Raeburn wrote: > On Sep 22, 2004, at 19:58, Fredrik Tolf wrote: > >> Shouldn't be hard. I think you need to dig up the code in the krb5 > >> library (or include directory, or a copy in the KDC code? I forget > >> where 1.3 had it) that looks for IFF_LOOPBACK and disable it. > > > > It would be much better if it would listen to 0.0.0.0, since if I leave > > the network and then come back, I'm not always certain to be given the > > same IP address by the DHCP server. If I would get a new one, I'd have > > Taking out the IFF_LOOPBACK check just means it should start listening > on 127.0.0.1, and you could stick "localhost" into your config file. > If you're using a DHCP-assigned address, you need to update your config > file to point to the new local name, unless your software is tweaking > /etc/hosts to map some fixed name to your current address, or you get > dynamic DNS updates or something.
Precisely - I have DDNS. > >> Listening on 0.0.0.0 for UDP traffic may not work for hosts with > >> multiple addresses, since the client code may be checking that it got > >> its response back from the same address to which it sent the query. > > > > I'm sorry, but I'm not seeing the problem. When the reply is sent back, > > surely the kernel fills in the interface address in the source field of > > the IP header? Or am I missing something here? > > Yes, it does. However, that interface is chosen by the destination > address, generally, and not by the address the client used to contact > you. If the client used address #1 because it was first in the list, > and the packet came in on interface #1, but based on the client's > address, the KDC host believes that the faster route to it is through > interface #2, then the address for interface #2 will be used if you > don't force it to do otherwise. A similar issue comes up if one > interface has multiple addresses. Of course... I was thinking that clients would always send their requests to the nearest interface, but I realize now that that naturally isn't always the case. > > I see... that would be a problem, I guess. I was under the impression > > that tickets still include the host address by default (isn't that the > > reason for the "Proxiable" flag?). Is that not true? > > I think we changed the defaults in 1.3; if not, it's changed in 1.4. > Running "klist -a" would tell you if your tickets have addresses. Indeed you are right - no addresses in there. Fredrik Tolf ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
