Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!bywater!scifi!watson!arnor!news
From: galina@watson.ibm.com_ (Galina Kofman)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberos and two ethernet ports
Message-ID: <1991May23.144713.21302@watson.ibm.com>
Date: 23 May 91 14:47:13 GMT
Sender: news@watson.ibm.com (NNTP News Poster)
Organization: IBM T.J. Watson Research Center
Lines: 53
Nntp-Posting-Host: rachel

In  <10452@castle.ed.ac.uk>  jaw@castle.ed.ac.uk (Graeme Wood) writes:
>
> I have recently attemted to put up kerberos on a Sequent S81.  The
> source was the Bones distribution with Eric Young's DES library.
>
> The source compiled ok, but when I run kinit and talked to our kerberos
> server I get an authentication error:
>
> sequent$ kinit
> EUCS Project Fred (sequent)
> Kerberos Initialization
> Kerberos name: jaw
> kinit: Password incorrect
> sequent$
>
> I believe that the problem is caused by the Sequent having two ethernet
> ports and kerberos is seeing a request coming from the secondary enet
> port with the IP address of the primary enet port in the authenticator
> and so rejects the request thinking that someone is trying to masquerade
> as the host.
>
> Has anyone else seen this problem? Does anybody have any ideas as to
> what could be happening and how I could fix it or work around it?
>
> Graeme Wood
> (Graeme.Wood@edinburgh.ac.uk)

If you have multihomed host, you can specify the your particular ip address
by doing bind on your local socket.  This is what I have done to make the
code run on our multihomed host:

In send_to_kdc.c after the socket was obtained add:

    if ( loc_host_addr == 0 ) /* static u_long loc_host_addr = 0 initially */ {
        if ( (loc_host_addr = gethostid()) == 0) {
            if (krb_debug)
               fprintf(stderr, "%s: Gethostid error\n", prog);
            return(SKDC_CANT);
        }
    }
    local.sin_addr.s_addr = loc_host_addr;
    local.sin_family = AF_INET;
    if (bind(f, &local, S_AD_SZ, 0) < 0) /* struct sockaddr_in local */ {
        if (krb_debug)
               fprintf(stderr, "%s: Can't bind \n", prog);
        return(SKDC_CANT);

Similar code was added to kadm_cli_wrap.c, adm_serv.c, kerberos.c, etc


K5 supports multihomed hosts.

Galina Kofman.