[Fwd: Re: krb5 malformed over satellite link]

Sandeep Bhardwaj hugsandy at gmail.com
Wed Sep 6 13:38:04 EDT 2006


Hi
thanks for you response
the max MTU supporte by the VSAT modem in 1500= 1480+20header and we are not
using VPNor IPSEC
but i tried putting a route with simple gre tunnel and system worked..
we were using some sort of header compressing a Bandwidth saving feature we
had to disable that also may bcoz it was altering the encrypted header of
KRB5 packet and system works now

but i still see that perticular packet 1514+60 and it never gets reply
i guess using TCP will be help full i will try that
i can allready see in the trace that KRB5- AS -REQ gets a error
KRB5krb_err-response_too_big and then it tries TCP and that works but the
KRB5-TGS_REQ never tries to go to TCP
may be i need to get that setting changed in krb5.conf [libdefaults] file
But will it force all the communication to  be TCP  can i use another value
fro this "udp_preference_limit = 1
" say 1400

Thanks Again
Sandeep


On 9/5/06, Douglas E. Engert <deengert at anl.gov> wrote:
>
> Sould have cc'ed you on this response.
>
>
> -------- Original Message --------
> Subject: Re: krb5 malformed over satellite link
> Date: Tue, 05 Sep 2006 16:59:39 -0500
> From: Douglas E. Engert <deengert at anl.gov>
> To: Markus Moeller <huaraz at moeller.plus.com>
> CC: kerberos at mit.edu
> References: <43147ec0609041210m5a3f4ba4s2de4e3fea7130564 at mail.gmail.com> <
> edkr5i$5nj$1 at sea.gmane.org>
>
> He could try forcing the use of TCP by adding
> udp_preference_limit = 1
> to the krb5.conf [libdefaults]
> i.e. al packets over 1 byte will try TCP before UDP.
>
> Since Active directory is going to return a PAC in the ticket,
> most tickets will be big and will need to fall over to
> using TCP anyway.
>
>
> Markus Moeller wrote:
>
> > Do you use a IPSEC VPN over the satelite link or is the mtu smaller than
> > 1500 bytes ?  This might be a problem if the already fragmented packet
> has
> > to be fragmented again.
> >
> > Regards
> > Markus
> >
> >
> > "Sandeep Bhardwaj" <hugsandy at gmail.com> wrote in message
> > news:43147ec0609041210m5a3f4ba4s2de4e3fea7130564 at mail.gmail.com...
> >
> >>hi
> >>
> >>we are trying to make active directory set up of windows over the
> >>satellite
> >>link to work ever thing is working excpet that my krb5 TGS-REQ packet
> >>comes
> >>fragmented 1514(ip) and 61(udp) and when it reaches the other side-
> server
> >>side it losses the encrypted heade and sniffer shows the packet as Mal
> >>formed due to this its not getting the krb5 TGS-REP
> >>
> >>i am attaching the ethereal trace what could be wrong there are few
> other
> >>packets of krb5 TGS-REQ 1483 bytes and they get the response also
> >>
> >>you can see both the packes in the trace attachecd
> >>*krb5 TGS-Req_no_response_mallformed.cap this is showing the mall formed
> >>packet recived after the vsat link to the server*
> >>
> >>Can i get any help on this like y is the rejected packet fragmented ?
> >>what could be the reson
> >>thanks fro your time in advance
> >>
> >>
> >>
> >>--
> >>Sandeep Bhardwaj
> >>
> >>GET FIREFOX
> >>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
> >>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
> >>
> >
> >
> >
> >
> --------------------------------------------------------------------------------
> >
> >
> >
> >>________________________________________________
> >>Kerberos mailing list           Kerberos at mit.edu
> >>https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >
> >
> >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
>
> Douglas E. Engert  <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois  60439
> (630) 252-5444
>
>
>
> --
>
> Douglas E. Engert  <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois  60439
> (630) 252-5444
>



-- 
Sandeep Bhardwaj

GET FIREFOX
http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1



More information about the Kerberos mailing list