On Wed, Sep 28, 2016 at 09:19:37AM +0200, Troels Hansen wrote:
> 
> 
> ----- On Sep 26, 2016, at 1:30 PM, Sumit Bose sb...@redhat.com wrote:
> 
> > About the DNS SRV records, did you add matching records for _udp as
> > well? I'm not sure if the AD client will fallback to _tcp if they are
> > missing or just stop?
> > 
> 
> 
> Ok, finally got some time to debug this.
> 
> tcpdump'ing in the IPA server and logging in, and analyzing the traffic in 
> wireshark I can see that some KRB5KDC_ERR_PREAUTH_REQUIRED traffic to both of 
> the KDC's as expected, followed by some AS-REQ and AS-REP, finally followed 
> by KRB5KRB_ERR-RESPONSE_TOO_BIG, source MAC is a Cisco router despite the 
> server being HP, so somewhere in the network a Cisco router is breaking our 
> Kerberos.

KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
Kerberos communication is typically started via UDP. But the PAC data in
the ticket is typically larger than a single UPD packet. The KDC tells
the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
response can be reliably send in multiple tcp packets. If
KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
suspect that port 88 tcp is blocked somewhere.

HTH

bye,
Sumit

> 
> I'll start hunting a solution somewhere else but IPA......

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to