Date: Mon, 7 Oct 2013 11:14:48 -0500 From: Eric van Gyzen <eric@vangyzen.net> To: Martin Laabs <mailinglists@martinlaabs.de> Cc: freebsd-net@FreeBSD.org Subject: Re: IPv6 privacy extensions breaks kerberos Message-ID: <5252DDF8.1050306@vangyzen.net> In-Reply-To: <523ED730.2030900@martinlaabs.de> References: <523ED730.2030900@martinlaabs.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09/22/2013 06:40, Martin Laabs wrote: > I noticed that kerberos stops working when enabling the privacy extension. > This is caused by the changing outgoing IP that does not fit to the dns > name anymore (or do not have a dns record at all) > So every host enabling the privacy extension will be unable to use kerberos > and kerberos enabled services like nfs. > This is a very problematic behavior and I would like to know if there is a > way getting around this. You can request tickets that are not limited to specific IP addresses. This is obviously not ideal. I also don't follow Kerberos development very closely, so there might be a better solution, such as changing the IP address in the ticket during a renewal, or requesting a subnet instead of an IP address. Good luck. I, for one, would like to hear if you find other options. Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5252DDF8.1050306>