s4:kdc In the kpasswd server, don't use the client address in mk_priv

This code eventually calls into mk_priv in the Heimdal code, and if
the client is behind NAT, or somehow has an odd idea about it's own
network addresses, it will fail to accept this packet if we set an
address.  It seems easiser not to.  (Found by testing with NetAPP at
plugfest)

Andrew Bartlett

1 files changed, 8 insertions, 0 deletions

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 3a39348578..9664d1b016 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -528,11 +528,19 @@ bool kpasswdd_process(struct kdc_server *kdc,
 
 	/* The kerberos PRIV packets include these addresses.  MIT
 	 * clients check that they are present */
+#if 0
+	/* Skip this part for now, it breaks with a NetAPP filer and
+	 * in any case where the client address is behind NAT.  If
+	 * older MIT clients need this, we might have to insert more
+	 * complex code */
+
 	nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return false;
 	}
+#endif
+
 	nt_status = gensec_set_my_addr(gensec_security, my_addr);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);