On Wed, Sep 28, 2016 at 10:33:43AM +0200, Troels Hansen wrote:
> ----- On Sep 28, 2016, at 10:06 AM, Sumit Bose sb...@redhat.com wrote:
> > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
> > Kerberos communication is typically started via UDP. But the PAC data in
> > the ticket is typically larger than a single UPD packet. The KDC tells
> > the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
> > response can be reliably send in multiple tcp packets. If
> > KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
> > suspect that port 88 tcp is blocked somewhere.
> Yes, you are absolutely correct. We actually switch to TCP after the initial
> try on UDP.
> I can see that we send a TGS-REQ over TCP to the AD for the current domain
> (NET), and AD answers back with a TGS-REP where I can see "KerberosString"
> tor the root domain (PLACE), and we then ads the DC for PLACE, with a TGS-REQ
> and get a TGS-REP with KerberosString for the IPA domain.
> So, actually kerberos traffic seems to be OK....
Yes, this makes sense as well. If you are not in the forest root you
first need a cross-realm TGT for your domain and the forest root. Then
you need a cross-realm TGT for the forest root and the IPA domain.
As a next step you should see a request to the IPA KDC to get the actual
service ticket for the host in the IPA domain.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project