From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 16 Sep 2009 05:02:36 +0000 (-0700)
Subject: s4:kdc In the kpasswd server, don't use the client address in mk_priv
X-Git-Url: http://git.samba.org/samba.git/?a=commitdiff_plain;h=932690c093692b1e9fca4dfa75c7cd55ea4e63b1;p=samba.git

s4:kdc In the kpasswd server, don't use the client address in mk_priv

This code eventually calls into mk_priv in the Heimdal code, and if
the client is behind NAT, or somehow has an odd idea about it's own
network addresses, it will fail to accept this packet if we set an
address.  It seems easiser not to.  (Found by testing with NetAPP at
plugfest)

Andrew Bartlett
---

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 3a393485785..9664d1b016f 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -528,11 +528,19 @@ bool kpasswdd_process(struct kdc_server *kdc,
 
 	/* The kerberos PRIV packets include these addresses.  MIT
 	 * clients check that they are present */
+#if 0
+	/* Skip this part for now, it breaks with a NetAPP filer and
+	 * in any case where the client address is behind NAT.  If
+	 * older MIT clients need this, we might have to insert more
+	 * complex code */
+
 	nt_status = gensec_set_peer_addr(gensec_security, peer_addr);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return false;
 	}
+#endif
+
 	nt_status = gensec_set_my_addr(gensec_security, my_addr);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);