> How'd you get kerberos to put the NAT machine's IP address in the
> kerberos packets?

In Kerberos 4, the KDC determines the IP address of the ticket, using
the source IP address of the request.  So krb4 works fine over NAT.

In Kerberos 5, the requestor determines what IP addresses the ticket
is valid for.  The MIT implementation normally makes the ticket valid
for all local interfaces.  So krb5 will not work properly over NAT
normally.  As of release 1.1, the MIT krb5 implementation supports a
profile option "noaddresses" in the section for each realm which will
make the ticket valid for all IP addresses.  This will get things
working again.

(Or you can try to kludge it by creating a virtual interface with the
external IP address of the NAT gateway and make sure that nothing
routes to it, but I don't know if that could have nasty side-effects.)