summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-09-15 22:02:36 -0700
committerAndrew Bartlett <abartlet@samba.org>2009-09-16 07:18:16 -0700
commit932690c093692b1e9fca4dfa75c7cd55ea4e63b1 (patch)
treefeb423a68d2c682c5a72b03f0c02341ebcf2ad94 /source4/kdc
parente8e8e40505465c65bcf434373ae89c8bbf650f96 (diff)
downloadsamba-932690c093692b1e9fca4dfa75c7cd55ea4e63b1.tar.gz
samba-932690c093692b1e9fca4dfa75c7cd55ea4e63b1.tar.bz2
samba-932690c093692b1e9fca4dfa75c7cd55ea4e63b1.zip
s4:kdc In the kpasswd server, don't use the client address in mk_priv
This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/kpasswdd.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 3a39348578..9664d1b016 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -528,11 +528,19 @@ bool kpasswdd_process(struct kdc_server *kdc,
/* The kerberos PRIV packets include these addresses. MIT
* clients check that they are present */
+#if 0
+ /* Skip this part for now, it breaks with a NetAPP filer and
+ * in any case where the client address is behind NAT. If
+ * older MIT clients need this, we might have to insert more
+ * complex code */
+
nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
}
+#endif
+
nt_status = gensec_set_my_addr(gensec_security, my_addr);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);