IPv6 privacy extensions breaks kerberos
Eric van Gyzen
eric at vangyzen.net
Mon Oct 7 16:14:51 UTC 2013
On 09/22/2013 06:40, Martin Laabs wrote:
> I noticed that kerberos stops working when enabling the privacy extension.
> This is caused by the changing outgoing IP that does not fit to the dns
> name anymore (or do not have a dns record at all)
> So every host enabling the privacy extension will be unable to use kerberos
> and kerberos enabled services like nfs.
> This is a very problematic behavior and I would like to know if there is a
> way getting around this.
You can request tickets that are not limited to specific IP addresses.
This is obviously not ideal. I also don't follow Kerberos development
very closely, so there might be a better solution, such as changing the
IP address in the ticket during a renewal, or requesting a subnet
instead of an IP address.
Good luck. I, for one, would like to hear if you find other options.
Eric
More information about the freebsd-net
mailing list