[Freeipa-users] SSH using putty to IPA client
Troels Hansen
th at casalogic.dk
Wed Sep 28 07:19:37 UTC 2016
----- On Sep 26, 2016, at 1:30 PM, Sumit Bose sbose at redhat.com wrote:
> About the DNS SRV records, did you add matching records for _udp as
> well? I'm not sure if the AD client will fallback to _tcp if they are
> missing or just stop?
>
Ok, finally got some time to debug this.
tcpdump'ing in the IPA server and logging in, and analyzing the traffic in wireshark I can see that some KRB5KDC_ERR_PREAUTH_REQUIRED traffic to both of the KDC's as expected, followed by some AS-REQ and AS-REP, finally followed by KRB5KRB_ERR-RESPONSE_TOO_BIG, source MAC is a Cisco router despite the server being HP, so somewhere in the network a Cisco router is breaking our Kerberos.
I'll start hunting a solution somewhere else but IPA......
More information about the Freeipa-users
mailing list