UDP/TCP problem in cross-realm authentication

Bjoern Tore Sund bjorn.sund at it.uib.no
Fri May 22 05:04:57 EDT 2009

We have linux clients in an MIT Kerberos realm (1.6.3), Windows XP SP3 
clients in AD and  two-way trust configured.  Accessing AD resources from 
Linux clients work perfectly.

Accessing resources in the MIT Kerberos realm from Windows fails more 
often than not.  Lots of packet sniffing shows fragmented UDP packets 
which the unix server isn't able to reassemble.  So, in accordance with 
http://support.microsoft.com/kb/244474 we've set 
Kerberos\Parameters\MaxPacketSize to 1 on the XP clients.  Still no go, 
they never try TCP (again sniffing both on the XP client and the unix 
kerberos server) but go straight for TCP.  TCP is working on the unix 
kerberos server, the linux clients are happily using it.  Have anyone 
seen MaxPacketSize fail to have effect before?  Any ideas on how to trace 
this further?

Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the Kerberos mailing list