----- On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote: > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The > Kerberos communication is typically started via UDP. But the PAC data in > the ticket is typically larger than a single UPD packet. The KDC tells > the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the > response can be reliably send in multiple tcp packets. If > KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would > suspect that port 88 tcp is blocked somewhere. >
Yes, you are absolutely correct. We actually switch to TCP after the initial try on UDP. I can see that we send a TGS-REQ over TCP to the AD for the current domain (NET), and AD answers back with a TGS-REP where I can see "KerberosString" tor the root domain (PLACE), and we then ads the DC for PLACE, with a TGS-REQ and get a TGS-REP with KerberosString for the IPA domain. So, actually kerberos traffic seems to be OK.... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project