On Mon, Oct 04, 2010 at 10:11:37PM +0100, Brian Candler wrote: > Which brings me to an aside: does this mean that all communication is > initiated by the client to each KDC, except for the final server to its KDC? > There's no KDC to KDC traffic? I'm particularly interested whether I can > make the following scenario work with a NAT/PAT firewall: > > NAT> > +-+ > client ----------------> | | ----------------> server > | | > | | > KDC for | | KDC for > FOO.EXAMPLE.COM | | BAR.EXAMPLE.COM > +-+
For the benefit of the list, I have set this up and it seems to work fine. I am using vmware server. Getting the above scenario to work just involved changing client and kdc.foo.example.com to a 'NAT' interface while kdc.bar.example.com has a 'bridged' interface with its own IP. * On client, do 'kinit' (gets ticket for candl...@foo.example.com) * On client, ssh to kdc.bar.example.com * Cross-realm authentication works fine I did some tcpdump testing. When I do initial kinit: I see an exchange from client to kdc.foo only. When I initiate ssh connection: apart from port 22 traffic I see * kerberos exchange from client to kdc.foo * reverse dns lookup on kdc.bar [probably sshd / tcp_wrappers] * kerberos exchange from client to kdc.bar kdc.bar doesn't have any /etc/hosts entry for the NAT external IP, so doesn't seem to need it. Regards, Brian. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
