s4:kdc In the kpasswd server, don't use the client address in mk_priv

This code eventually calls into mk_priv in the Heimdal code, and if
the client is behind NAT, or somehow has an odd idea about it's own
network addresses, it will fail to accept this packet if we set an
address.  It seems easiser not to.  (Found by testing with NetAPP at
plugfest)

Andrew Bartlett

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 3a39348578594461820adba0cb5d2ced1ee1321c..9664d1b016feb10f5b5dfd4efd35cbb21da9b8b6 100644 (file)
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -528,11 +528,19 @@ bool kpasswdd_process(struct kdc_server *kdc,
 
        /* The kerberos PRIV packets include these addresses.  MIT
         * clients check that they are present */
+#if 0
+       /* Skip this part for now, it breaks with a NetAPP filer and
+        * in any case where the client address is behind NAT.  If
+        * older MIT clients need this, we might have to insert more
+        * complex code */
+
        nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(tmp_ctx);
                return false;
        }
+#endif
+
        nt_status = gensec_set_my_addr(gensec_security, my_addr);
        if (!NT_STATUS_IS_OK(nt_status)) {
                talloc_free(tmp_ctx);