From 932690c093692b1e9fca4dfa75c7cd55ea4e63b1 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 15 Sep 2009 22:02:36 -0700 Subject: s4:kdc In the kpasswd server, don't use the client address in mk_priv This code eventually calls into mk_priv in the Heimdal code, and if the client is behind NAT, or somehow has an odd idea about it's own network addresses, it will fail to accept this packet if we set an address. It seems easiser not to. (Found by testing with NetAPP at plugfest) Andrew Bartlett --- source4/kdc/kpasswdd.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'source4') diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 3a39348578..9664d1b016 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -528,11 +528,19 @@ bool kpasswdd_process(struct kdc_server *kdc, /* The kerberos PRIV packets include these addresses. MIT * clients check that they are present */ +#if 0 + /* Skip this part for now, it breaks with a NetAPP filer and + * in any case where the client address is behind NAT. If + * older MIT clients need this, we might have to insert more + * complex code */ + nt_status = gensec_set_peer_addr(gensec_security, peer_addr); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; } +#endif + nt_status = gensec_set_my_addr(gensec_security, my_addr); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); -- cgit