[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kinit fails against W2k3 server

To: heimdal-discuss@sics.se
Subject: kinit fails against W2k3 server
From: Martin Zielinski <mz@seh.de>
Date: Thu, 20 Jan 2005 09:07:46 +0100
Organization: SEH
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.7.1

Hello list,

We have a huge network with a distributed AD domain.
We're using heimdal (0.6.3) kinit + the Samba net command to join the Linux 
machines to the domain.

For historical reasons, the administrator is member in lots of groups. As a 
result the ticket size is too big for UDB, so the W2k3-server sends an 
KRB5KRB_ERR_RESPONSE_TOO_BIG (Response too big for UDP, retry with TCP) error 
back to kinit.

Unfortunatly this case is not handled in lib/krb5/get_in_tck.c - 
krb5_get_in_cred(). Only the KRB5KDC_ERR_PREAUTH_REQUIRED error is handled.

According to what i've found under
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
, kinit should resend its request using TCP instead of UDP.

BTW, MIT-kinit behaves this way, 8but causes several other troubles later on).

I'm new to this code, so I've no idea how to manipulate the proto property for 
the second try.

Thanks a lot for any help !

- Martin

-- 
Martin Zielinski                       mz@seh.de
Software Development
SEH Computertechnik GmbH     www.seh.de

Follow-Ups:
- Re: kinit fails against W2k3 server
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: using active directory keys
Next by Date: Design Questions for Adding PTserver Support
Prev by thread: Re: success with pkinit/opensc was (Re: Heimdal PKINIT complileerrors)
Next by thread: Re: kinit fails against W2k3 server
Index(es):
- Date
- Thread