krb5 malformed over satellite link
Douglas E. Engert
deengert at anl.gov
Tue Sep 5 17:59:39 EDT 2006
He could try forcing the use of TCP by adding
udp_preference_limit = 1
to the krb5.conf [libdefaults]
i.e. al packets over 1 byte will try TCP before UDP.
Since Active directory is going to return a PAC in the ticket,
most tickets will be big and will need to fall over to
using TCP anyway.
Markus Moeller wrote:
> Do you use a IPSEC VPN over the satelite link or is the mtu smaller than
> 1500 bytes ? This might be a problem if the already fragmented packet has
> to be fragmented again.
>
> Regards
> Markus
>
>
> "Sandeep Bhardwaj" <hugsandy at gmail.com> wrote in message
> news:43147ec0609041210m5a3f4ba4s2de4e3fea7130564 at mail.gmail.com...
>
>>hi
>>
>>we are trying to make active directory set up of windows over the
>>satellite
>>link to work ever thing is working excpet that my krb5 TGS-REQ packet
>>comes
>>fragmented 1514(ip) and 61(udp) and when it reaches the other side- server
>>side it losses the encrypted heade and sniffer shows the packet as Mal
>>formed due to this its not getting the krb5 TGS-REP
>>
>>i am attaching the ethereal trace what could be wrong there are few other
>>packets of krb5 TGS-REQ 1483 bytes and they get the response also
>>
>>you can see both the packes in the trace attachecd
>>*krb5 TGS-Req_no_response_mallformed.cap this is showing the mall formed
>>packet recived after the vsat link to the server*
>>
>>Can i get any help on this like y is the rejected packet fragmented ?
>>what could be the reson
>>thanks fro your time in advance
>>
>>
>>
>>--
>>Sandeep Bhardwaj
>>
>>GET FIREFOX
>>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
>>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
>>
>
>
>
> --------------------------------------------------------------------------------
>
>
>
>>________________________________________________
>>Kerberos mailing list Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list