[31161] in Kerberos
UDP/TCP problem in cross-realm authentication
daemon@ATHENA.MIT.EDU (Bjoern Tore Sund)
Fri May 22 05:05:56 2009
Message-ID: <4A166AB9.2040903@it.uib.no>
Date: Fri, 22 May 2009 11:04:57 +0200
From: Bjoern Tore Sund <bjorn.sund@it.uib.no>
MIME-Version: 1.0
To: kerberos@MIT.EDU
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@MIT.EDU
Content-Transfer-Encoding: 8bit
We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3
clients in AD and two-way trust configured. Accessing AD resources from
Linux clients work perfectly.
Accessing resources in the MIT Kerberos realm from Windows fails more
often than not. Lots of packet sniffing shows fragmented UDP packets
which the unix server isn't able to reassemble. So, in accordance with
http://support.microsoft.com/kb/244474 we've set
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go,
they never try TCP (again sniffing both on the XP client and the unix
kerberos server) but go straight for TCP. TCP is working on the unix
kerberos server, the linux clients are happily using it. Have anyone
seen MaxPacketSize fail to have effect before? Any ideas on how to trace
this further?
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
