----- On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> Kerberos communication is typically started via UDP. But the PAC data in
> the ticket is typically larger than a single UPD packet. The KDC tells
> the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
> response can be reliably send in multiple tcp packets. If
> KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
> suspect that port 88 tcp is blocked somewhere.

Yes, you are absolutely correct. We actually switch to TCP after the initial 
try on UDP.

I can see that we send a TGS-REQ over TCP to the AD for the current domain 
(NET), and AD answers back with a TGS-REP where I can see "KerberosString" tor 
the root domain (PLACE), and we then ads the DC for PLACE, with a TGS-REQ and 
get a TGS-REP with KerberosString for the IPA domain.

So, actually kerberos traffic seems to be OK....

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to