krb5 malformed over satellite link

Douglas E. Engert deengert at anl.gov
Tue Sep 5 17:59:39 EDT 2006 

He could try forcing the use of TCP by adding
udp_preference_limit = 1
to the krb5.conf [libdefaults]
i.e. al packets over 1 byte will try TCP before UDP.

Since Active directory is going to return a PAC in the ticket,
most tickets will be big and will need to fall over to
using TCP anyway.


Markus Moeller wrote:

> Do you use a IPSEC VPN over the satelite link or is the mtu smaller than 
> 1500 bytes ?  This might be a problem if the already fragmented packet has 
> to be fragmented again.
> 
> Regards
> Markus
> 
> 
> "Sandeep Bhardwaj" <hugsandy at gmail.com> wrote in message 
> news:43147ec0609041210m5a3f4ba4s2de4e3fea7130564 at mail.gmail.com...
> 
>>hi
>>
>>we are trying to make active directory set up of windows over the 
>>satellite
>>link to work ever thing is working excpet that my krb5 TGS-REQ packet 
>>comes
>>fragmented 1514(ip) and 61(udp) and when it reaches the other side- server
>>side it losses the encrypted heade and sniffer shows the packet as Mal
>>formed due to this its not getting the krb5 TGS-REP
>>
>>i am attaching the ethereal trace what could be wrong there are few other
>>packets of krb5 TGS-REQ 1483 bytes and they get the response also
>>
>>you can see both the packes in the trace attachecd
>>*krb5 TGS-Req_no_response_mallformed.cap this is showing the mall formed
>>packet recived after the vsat link to the server*
>>
>>Can i get any help on this like y is the rejected packet fragmented ?
>>what could be the reson
>>thanks fro your time in advance
>>
>>
>>
>>-- 
>>Sandeep Bhardwaj
>>
>>GET FIREFOX
>>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
>>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
>>
> 
> 
> 
> --------------------------------------------------------------------------------
> 
> 
> 
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list