From owner-freebsd-net@FreeBSD.ORG  Mon Oct  7 16:14:51 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 39E00993
 for <freebsd-net@freebsd.org>; Mon,  7 Oct 2013 16:14:51 +0000 (UTC)
 (envelope-from eric@vangyzen.net)
Received: from aussmtpmrkps320.us.dell.com (aussmtpmrkps320.us.dell.com
 [143.166.224.254]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id F09632E3F
 for <freebsd-net@freebsd.org>; Mon,  7 Oct 2013 16:14:50 +0000 (UTC)
X-Loopcount0: from 64.238.244.148
X-IronPort-AV: E=Sophos;i="4.90,1051,1371099600"; d="scan'208";a="54593297"
Message-ID: <5252DDF8.1050306@vangyzen.net>
Date: Mon, 7 Oct 2013 11:14:48 -0500
From: Eric van Gyzen <eric@vangyzen.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130702 Thunderbird/17.0.7
MIME-Version: 1.0
To: Martin Laabs <mailinglists@martinlaabs.de>
Subject: Re: IPv6 privacy extensions breaks kerberos
References: <523ED730.2030900@martinlaabs.de>
In-Reply-To: <523ED730.2030900@martinlaabs.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@FreeBSD.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 16:14:51 -0000

On 09/22/2013 06:40, Martin Laabs wrote:
> I noticed that kerberos stops working when enabling the privacy extension.
> This is caused by the changing outgoing IP that does not fit to the dns
> name anymore (or do not have a dns record at all)
> So every host enabling the privacy extension will be unable to use kerberos
> and kerberos enabled services like nfs.
> This is a very problematic behavior and I would like to know if there is a
> way getting around this.

You can request tickets that are not limited to specific IP addresses. 
This is obviously not ideal.  I also don't follow Kerberos development
very closely, so there might be a better solution, such as changing the
IP address in the ticket during a renewal, or requesting a subnet
instead of an IP address.

Good luck.  I, for one, would like to hear if you find other options.

Eric