}> }How'd you get kerberos to put the NAT machine's IP address in the
}> }kerberos packets?

}> It may have something to do with the way Windows does kerberos, that's
}> the only machine I have behind a NAT.  Everything seems to be working
}> more or less ok.

}I don't think Windows puts an address in the ticket at all.

Well, actually, what we're using does, but it doesn't have anything
to do with anything, it's just in the ticket file as cleartext with
no apparent purpose.  The address is the address the client has.

}What is really needed is an addition to the krb5.conf file.  Someone
}should code this.  :)
}
}[libdefaults]
}	scan_interfaces = no
}	add_ipaddresses = 1.2.3.4, 2.3.4.5

}> I'd test a NetBSD box, but I upgraded to -current, and am trying to
}> figure out why the crypto-us stuff won't compile.  (Problems with
}> libcrypto, possibly self-inflicted by the way I upgraded.)

}libcrypto != krb5's librypto.  Some parts of the system think krb5's
}libcrypto is "libcrypto" while others know it was renamed to
}"libk5crypto"

I'm not using krb5 yet.  The system I'm authenticating against is
krb5 but no clients are krb5 yet, so I only need krb4 stuff.  If
I have CRYPTOBASE set to domestic, and do a make build, libcrypt
will not build.  If I don't have CRYPTOBASE set, then I can build
libcrypt just fine, instead make build fails in biosboot.  Whee.
I'm starting to think the libcrypt failure isn't my fault, but
I'm going to stare at it a bit more.  (I mistyped earlier, I
said libcrypto, meant libcrypt, which can only confuse things more.)

Tracy J. Di Marco White
Project Vincent Systems Manager
gendalia@iastate.edu