[Freeipa-users] SSH using putty to IPA client
Sumit Bose
sbose at redhat.com
Wed Sep 28 08:06:20 UTC 2016
On Wed, Sep 28, 2016 at 09:19:37AM +0200, Troels Hansen wrote:
>
>
> ----- On Sep 26, 2016, at 1:30 PM, Sumit Bose sbose at redhat.com wrote:
>
> > About the DNS SRV records, did you add matching records for _udp as
> > well? I'm not sure if the AD client will fallback to _tcp if they are
> > missing or just stop?
> >
>
>
> Ok, finally got some time to debug this.
>
> tcpdump'ing in the IPA server and logging in, and analyzing the traffic in wireshark I can see that some KRB5KDC_ERR_PREAUTH_REQUIRED traffic to both of the KDC's as expected, followed by some AS-REQ and AS-REP, finally followed by KRB5KRB_ERR-RESPONSE_TOO_BIG, source MAC is a Cisco router despite the server being HP, so somewhere in the network a Cisco router is breaking our Kerberos.
KRB5KRB_ERR-RESPONSE_TOO_BIG is an expected return code here. The
Kerberos communication is typically started via UDP. But the PAC data in
the ticket is typically larger than a single UPD packet. The KDC tells
the client wit KRB5KRB_ERR-RESPONSE_TOO_BIG to switch to tcp so that the
response can be reliably send in multiple tcp packets. If
KRB5KRB_ERR-RESPONSE_TOO_BIG is the last you see on the wire I would
suspect that port 88 tcp is blocked somewhere.
HTH
bye,
Sumit
>
> I'll start hunting a solution somewhere else but IPA......
More information about the Freeipa-users
mailing list