>>>2. I believe that KRB5KRB_ERR_RESPONSE_TOO_BIG implies that the response was too big for UDP I can second that belief. I only see these in the logs on domains where Kerb traffic has NOT been forced to TCP. A regular symptom in such domains is the notorious event Id 5719, the inability to join computers to the domains in question, and some other Kerberos-related netdiag errors. When Kerberos is going over TCP, you don't see the TOO_BIG error in the packet, and you don't see 5719 in the event log anymore. Sincerely,
D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Ruston, Neil Sent: Mon 5/9/2005 2:01 AM To: '[email protected]' Subject: [ActiveDir] Use of SRV records (_ldap, _kerberos, _kpasswd) ( WAS : DNS vs. Hos ts File) 1. If memory serves (and it lets me down now and then!), the kpasswd service is only used by non-Windows Kerberos clients. Windows servers register this service in DNS for compatibility (and adherence to standards) rather than because Windows clients actually use/need this service. 2. I believe that KRB5KRB_ERR_RESPONSE_TOO_BIG implies that the response was too big for UDP and that TCP was used therefore. This can be overcome by using TCP for all Kerberos related requests. hth, neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 09 May 2005 09:27 To: [email protected] Subject: [ActiveDir] Use of SRV records (_ldap, _kerberos, _kpasswd) ( WAS: DNS vs. Hos ts File) Hi, A few days ago we were talking about the different service records (_ldap, _kerberos and _kpasswd) and when these are used. Joe did a network trace and posted his findings. I was also curious and I also did network trace. Here are my findings. (I did not go through the traces thoroughly) I did three network traces and used the following: Configuration used: * Windows 2003 SP0 installed and upgraded to SP1 -> DC/DNS * Windows 2003 SP1 installed -> Client * 1 AD domain * Network monitor installed on both the client and the DC * Network monitor used: Packetyzer 4.0.0 TRACES: (1) Joining a client to an AD domain --> _ldap SRV RR and _kerberos SRV RR used --> NetBIOS also used to determine DCs. Don't understand this one! --> Received "KRB5KRB_ERR_RESPONSE_TOO_BIG" several times. Don't understand this one! (2) Booting of a client and the logon of a user --> _ldap SRV RR used. Use of _kerberos SRV RR not detected, but kerberos authentication is used! --> Received "KRB5KRB_ERR_RESPONSE_TOO_BIG" several times. Don't understand this one! (3) Password change of a user account --> Received "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN". The client used the SPN "cifs/172.16.1.11" instead of "cifs/w2k3dc01.w2k3domain.lan". Don't understand why. As I know _kpasswd service record is for the Kerberos Password Change service, but I have not seen it being used in the trace. For the specific findings see below. Cheers, #JORGE# PS: If anyone is interested in also receiving the traces mail me offline (1) findings: Queries (FROM THE CLIENT TO THE DC) --> 4x _ldap._tcp.dc._msdcs.W2K3DOMAIN.LAN: type SRV, class IN Name: _ldap._tcp.dc._msdcs.W2K3DOMAIN.LAN Type: SRV (Service location) Class: IN (0x0001) Queries (FROM THE CLIENT TO THE DC) --> 8x W2K3DOMAIN.LAN<1c>: type NB, class IN Name: W2K3DOMAIN.LAN<1c> (Domain Controllers) Type: NB Class: IN Queries (FROM THE CLIENT TO THE DC) --> 1x _kerberos._tcp.dc._msdcs.W2K3DOMAIN.LAN: type SRV, class IN Name: _kerberos._tcp.dc._msdcs.W2K3DOMAIN.LAN Type: SRV (Service location) Class: IN (0x0001) Kerberos AS-REQ (User Datagram Protocol, Src Port: 1050 (1050), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1050 (1050)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:20:00 (Z) susec: 665713 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): krbtgt/W2K3DOMAIN.LAN Name-type: Service and Instance (2) Name: krbtgt Name: W2K3DOMAIN.LAN Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1052 (1052), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1052 (1052)) (FROM DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:20:01 (Z) susec: 962588 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): cifs/w2k3dc01.w2k3domain.lan Name-type: Service and Instance (2) Name: cifs Name: w2k3dc01.w2k3domain.lan Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1069 (1069), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1069 (1069)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:20:08 (Z) susec: 259463 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): ldap/w2k3dc01.w2k3domain.lan Name-type: Service and Instance (2) Name: ldap Name: w2k3dc01.w2k3domain.lan (2) findings: Queries (FROM THE CLIENT TO THE DC) --> 3x W2K3DC01.W2K3DOMAIN.LAN: type A, class IN Name: W2K3DC01.W2K3DOMAIN.LAN Type: A (Host address) Class: IN (0x0001) Queries (FROM THE CLIENT TO THE DC) --> 1x _ldap._tcp.Default-First-Site-Name._sites.W2K3DOMAIN.LAN: type SRV, class IN Name: _ldap._tcp.Default-First-Site-Name._sites.W2K3DOMAIN.LAN Type: SRV (Service location) Class: IN (0x0001) Kerberos AS-REQ (User Datagram Protocol, Src Port: 1069 (1069), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1069 (1069)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:27:19 (Z) susec: 90859 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN Server Name (Service and Instance): krbtgt/W2K3DOMAIN Name-type: Service and Instance (2) Name: krbtgt Name: W2K3DOMAIN Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1071 (1071), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1071 (1071)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:27:19 (Z) susec: 106484 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Host): host/w2k3sp1srv00.w2k3domain.lan Name-type: Service and Host (3) Name: host Name: w2k3sp1srv00.w2k3domain.lan Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1073 (1073), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1073 (1073)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:27:20 (Z) susec: 75234 error_code: KRB5KRB_ERR_RESPONSE_TOO_BIG (52) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): cifs/W2K3DC01.W2K3DOMAIN.LAN Name-type: Service and Instance (2) Name: cifs Name: W2K3DC01.W2K3DOMAIN.LAN (3) findings NO SRV RRs used here Kerberos TGS-REQ (User Datagram Protocol, Src Port: 1085 (1085), Dst Port: kerberos (88)) (FROM THE CLIENT TO THE DC) Kerberos KRB-ERROR (User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1085 (1085)) (FROM THE DC TO THE CLIENT) Pvno: 5 MSG Type: KRB-ERROR (30) stime: 2005-05-07 20:31:10 (Z) susec: 262734 error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7) Realm: W2K3DOMAIN.LAN Server Name (Service and Instance): cifs/172.16.1.11 Name-type: Service and Instance (2) Name: cifs Name: 172.16.1.11 Met vriendelijke groet / Kind regards, Jorge de Almeida Pinto Infrastructure Consultant __________________________________________ << OLE Object: Picture (Metafile) >> LogicaCMG Nederland B.V. (BU SD/AT) Division Industry, Distribution and Transport (ID&T) Kennedyplein 248, 5611 ZT, Eindhoven * Postbus 7089 5605 JB Eindhoven * Tel : +31-(0)40-29.57.777 * Fax : +31-(0)40-29.57.709 * Mobile : +31-(0)6-26.26.62.80 * E-mail : [EMAIL PROTECTED] " <http://www.logicacmg.com/ <http://www.logicacmg.com/> > - Solutions that matter - This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ============================================================================= = This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ============================================================================= = List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
