On Wed, Sep 28, 2016 at 09:19:37AM +0200, Troels Hansen wrote: > > > ----- On Sep 26, 2016, at 1:30 PM, Sumit Bose [email protected] wrote: > > > About the DNS SRV records, did you add matching records for _udp as > > well? I'm not sure if the AD client will fallback to _tcp if they are > > missing or just stop? > > > > > Ok, finally got some time to debug this. > > tcpdump'ing in the IPA server and logging in, and analyzing the traffic in > wireshark I can see that some KRB5KDC_ERR_PREAUTH_REQUIRED traffic to both of > the KDC's as expected, followed by some AS-REQ and AS-REP, finally followed > by KRB5KRB_ERR-RESPONSE_TOO_BIG, source MAC is a Cisco router despite the > server being HP, so somewhere in the network a Cisco router is breaking our > Kerberos.
KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The Kerberos communication is typically started via UDP. But the PAC data in the ticket is typically larger than a single UPD packet. The KDC tells the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the response can be reliably send in multiple tcp packets. If KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would suspect that port 88 tcp is blocked somewhere. HTH bye, Sumit > > I'll start hunting a solution somewhere else but IPA...... -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
