On Wed, Sep 28, 2016 at 10:33:43AM +0200, Troels Hansen wrote: > > > ----- On Sep 28, 2016, at 10:06 AM, Sumit Bose [email protected] wrote: > > KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The > > Kerberos communication is typically started via UDP. But the PAC data in > > the ticket is typically larger than a single UPD packet. The KDC tells > > the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the > > response can be reliably send in multiple tcp packets. If > > KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would > > suspect that port 88 tcp is blocked somewhere. > > > > > Yes, you are absolutely correct. We actually switch to TCP after the initial > try on UDP. > > I can see that we send a TGS-REQ over TCP to the AD for the current domain > (NET), and AD answers back with a TGS-REP where I can see "KerberosString" > tor the root domain (PLACE), and we then ads the DC for PLACE, with a TGS-REQ > and get a TGS-REP with KerberosString for the IPA domain. > > So, actually kerberos traffic seems to be OK....
Yes, this makes sense as well. If you are not in the forest root you first need a cross-realm TGT for your domain and the forest root. Then you need a cross-realm TGT for the forest root and the IPA domain. As a next step you should see a request to the IPA KDC to get the actual service ticket for the host in the IPA domain. bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
