[31171] in Kerberos
Re: UDP/TCP problem in cross-realm authentication
daemon@ATHENA.MIT.EDU (=?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?=)
Fri May 22 15:01:04 2009
Message-ID: <4A16F646.1020607@it.uib.no>
Date: Fri, 22 May 2009 21:00:22 +0200
From: =?ISO-8859-1?Q?Bj=F8rn_Tore_Sund?= <bjorn.sund@it.uib.no>
MIME-Version: 1.0
To: "Wilper, Ross A" <rwilper@stanford.edu>
In-Reply-To: <B9BF119F687A824C8A49C4E4ED69576801711603@its-exchmb01.stanford.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
No, that setting I hadn't found - and it solved the issue. Thank you
very much. Good to have a place to ask when Google fails me. :)
-BT
Wilper, Ross A wrote:
> Have you tried setting this on the client Windows machine?
>
> HKLM\CurrentControlSet\Control\LSA\Kerberos\Domains\YOUR.REALM
> RealmFlags = Reg_DWORD = 2 (USE_TCP)
>
> The default behavior for a cross-realm trust is to assume that only UDP is supported.
>
> -Ross
>
> -----Original Message-----
> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Bjoern Tore Sund
> Sent: Friday, May 22, 2009 2:44 AM
> To: miguel.sanders@arcelormittal.com
> Cc: kerberos@mit.edu
> Subject: Re: UDP/TCP problem in cross-realm authentication
>
> miguel.sanders@arcelormittal.com wrote:
>> Moreover, do you even see the KRB5KRB_ERR_RESPONSE_TOO_BIG reply from the KDC?
>
> The MIT KDC doesn't seem to see the fragmented UDP packets at all, only
> when the occasional non-fragmented packet arrives does anything happen.
> From the client side the connection (I'm testing with a web page on
> apache) just seems to hang for 20-30 seconds before the connection falls
> back to username/password authentication.
>
> -BT
>
>>
>> Met vriendelijke groet
>> Best regards
>> Bien à vous
>>
>> Miguel SANDERS
>> ArcelorMittal Gent
>>
>> UNIX Systems & Storage
>> IT Supply Western Europe | John Kennedylaan 51
>> B-9042 Gent
>>
>> T +32 9 347 3538 | F +32 9 347 4901 | M +32478 805 023
>> E miguel.sanders@arcelormittal.com
>> www.arcelormittal.com/gent
>>
>> -----Oorspronkelijk bericht-----
>> Van: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] Namens Bjoern Tore Sund
>> Verzonden: vrijdag 22 mei 2009 11:05
>> Aan: kerberos@mit.edu
>> Onderwerp: UDP/TCP problem in cross-realm authentication
>>
>>
>> We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 clients in AD and two-way trust configured. Accessing AD resources from Linux clients work perfectly.
>>
>> Accessing resources in the MIT Kerberos realm from Windows fails more often than not. Lots of packet sniffing shows fragmented UDP packets which the unix server isn't able to reassemble. So, in accordance with
>> http://support.microsoft.com/kb/244474 we've set HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
>> Kerberos\Parameters\MaxPacketSize to 1 on the XP clients. Still no go, they never try TCP (again sniffing both on the XP client and the unix kerberos server) but go straight for TCP. TCP is working on the unix kerberos server, the linux clients are happily using it. Have anyone seen MaxPacketSize fail to have effect before? Any ideas on how to trace this further?
>>
>> -BT
>
>
--
Bj¯rn Tore Sund Phone: 555-84894 Email: bjorn.sund@it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
