[Fwd: Re: krb5 malformed over satellite link]

Douglas E. Engert deengert at anl.gov
Wed Sep 6 16:14:49 EDT 2006 


Sandeep Bhardwaj wrote:

> Hi
> thanks for you response
> the max MTU supporte by the VSAT modem in 1500= 1480+20header and we are 
> not
> using VPNor IPSEC
> but i tried putting a route with simple gre tunnel and system worked..
> we were using some sort of header compressing a Bandwidth saving feature we
> had to disable that also may bcoz it was altering the encrypted header of
> KRB5 packet and system works now
> 
> but i still see that perticular packet 1514+60 and it never gets reply
> i guess using TCP will be help full i will try that
> i can allready see in the trace that KRB5- AS -REQ gets a error
> KRB5krb_err-response_too_big and then it tries TCP and that works but the
> KRB5-TGS_REQ never tries to go to TCP
> may be i need to get that setting changed in krb5.conf [libdefaults] file
> But will it force all the communication to  be TCP 

All Kerberos trafic between the client and KDC, which should include
the the TGS_REQ .As you noted above, the AS_REQ got a response to big, and
told the client to use TCP.  The client may have had problems sending the
TGS_REQ with UDP (and may never get to the KDC). The udp_preference_limit = 1 would
tell the client it to forget abouut using UDP, and just try TCP.


  can i use another value
> fro this "udp_preference_limit = 1
> " say 1400

Yes, but since you are talking to AD, most packets will be big, and you
might as well just use TCP to start with.

You might find this Microsoft article on UDP, TCP, VPN and fragmented
packets of interest:

  http://support.microsoft.com/kb/244474/

> 
> Thanks Again
> Sandeep
> 
> 
> On 9/5/06, Douglas E. Engert <deengert at anl.gov> wrote:
> 
>>
>> Sould have cc'ed you on this response.
>>
>>
>> -------- Original Message --------
>> Subject: Re: krb5 malformed over satellite link
>> Date: Tue, 05 Sep 2006 16:59:39 -0500
>> From: Douglas E. Engert <deengert at anl.gov>
>> To: Markus Moeller <huaraz at moeller.plus.com>
>> CC: kerberos at mit.edu
>> References: 
>> <43147ec0609041210m5a3f4ba4s2de4e3fea7130564 at mail.gmail.com> <
>> edkr5i$5nj$1 at sea.gmane.org>
>>
>> He could try forcing the use of TCP by adding
>> udp_preference_limit = 1
>> to the krb5.conf [libdefaults]
>> i.e. al packets over 1 byte will try TCP before UDP.
>>
>> Since Active directory is going to return a PAC in the ticket,
>> most tickets will be big and will need to fall over to
>> using TCP anyway.
>>
>>
>> Markus Moeller wrote:
>>
>> > Do you use a IPSEC VPN over the satelite link or is the mtu smaller 
>> than
>> > 1500 bytes ?  This might be a problem if the already fragmented packet
>> has
>> > to be fragmented again.
>> >
>> > Regards
>> > Markus
>> >
>> >
>> > "Sandeep Bhardwaj" <hugsandy at gmail.com> wrote in message
>> > news:43147ec0609041210m5a3f4ba4s2de4e3fea7130564 at mail.gmail.com...
>> >
>> >>hi
>> >>
>> >>we are trying to make active directory set up of windows over the
>> >>satellite
>> >>link to work ever thing is working excpet that my krb5 TGS-REQ packet
>> >>comes
>> >>fragmented 1514(ip) and 61(udp) and when it reaches the other side-
>> server
>> >>side it losses the encrypted heade and sniffer shows the packet as Mal
>> >>formed due to this its not getting the krb5 TGS-REP
>> >>
>> >>i am attaching the ethereal trace what could be wrong there are few
>> other
>> >>packets of krb5 TGS-REQ 1483 bytes and they get the response also
>> >>
>> >>you can see both the packes in the trace attachecd
>> >>*krb5 TGS-Req_no_response_mallformed.cap this is showing the mall 
>> formed
>> >>packet recived after the vsat link to the server*
>> >>
>> >>Can i get any help on this like y is the rejected packet fragmented ?
>> >>what could be the reson
>> >>thanks fro your time in advance
>> >>
>> >>
>> >>
>> >>--
>> >>Sandeep Bhardwaj
>> >>
>> >>GET FIREFOX
>> >>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
>> >>http://www.spreadfirefox.com/?q=affiliates&id=171522&t=1
>> >>
>> >
>> >
>> >
>> >
>> -------------------------------------------------------------------------------- 
>>
>> >
>> >
>> >
>> >>________________________________________________
>> >>Kerberos mailing list           Kerberos at mit.edu
>> >>https://mailman.mit.edu/mailman/listinfo/kerberos
>> >>
>> >
>> >
>> >
>> >
>> > ________________________________________________
>> > Kerberos mailing list           Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>> >
>>
>> -- 
>>
>> Douglas E. Engert  <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
>>
>>
>>
>> -- 
>>
>> Douglas E. Engert  <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois  60439
>> (630) 252-5444
>>
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list