Random failure while communicating with KDC
Sowmya Manjanatha
sowmya_ambale at yahoo.com
Fri Feb 28 12:03:07 EST 2014
I did disable all of the isatap, teredo, 6to4 interfaces on Windows and still the same issue. I can always without any delay "telnet <ipv6 address> 445". So, through wireshark, I found that the destination port to which the connection fails is 445. There is not a problem connecting using the hostname as well.
And, in fact, I did a wireshark tracing on the AD server. I see the "TCP syn, syn-ack and then ack" all going through, a second later I see a RST from the server but that is exactly after I see "abandoning connection : Operation now in progress". This print out seems to be coming from kill_conn function in sendto_kdc.c file which is called from the goto kill_conn: section which is called from handle_exception section from case READING: of the service_tcp_fd file. The error is always consistent. My guess is that it is taking longer to connect. However, I have added a check for "get_so_error(fd)" inside the for loop inside service_fds function. When it calls service_tcp_fd after connect was called from maybe_send, get_so_error is returning a 0 indicating no error but after writing, when it gets to case READING , I see that error and read is never invoked. Instead the kill_conn is invoked.
My only guess now is that connect or write is taking much longer for ipv6. Is there a way to wait for the Operation now in progress to go away when we hit that. Just putting a return out in kill_conn if we see this error seems to be causing the program to loop for 16 times when it gives up with the error Looping detected and gives up any way.
Thanks for your help again. I really appreciate it.
-Sowmya.
On Friday, February 28, 2014 10:44 AM, "Wilper, Ross A" <rwilper at stanford.edu> wrote:
Another avenue that you may want to look into is checking that the Active Directory domain controller has a real, routable IPv6 address and that you have disabled transition technologies (ISATAP, 6to4, Toredo, etc.) There are lots of headaches that can occur when AD thinks it is on a working IPv6 network and it really isn't.
-Ross
-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of sowmya
Sent: Thursday, February 27, 2014 4:10 PM
To: kerberos at mit.edu
Subject: Re: Random failure while communicating with KDC
Russ,
Thanks much for your quick response.
I am trying to do a "net ads join " to an Active Directory server on a
Windows 2008 R2 server. I have been able to join the same Active Directory
server with the same administrator account and password but to its IPv4
address. This problem only occurs if communication is to the Active
Directory server's IPv6 address. I have set up all the reverse dns and
service records. I am able to do a dig srv "_ldap._tcp.<domainname>" as
well as all other _kerberos, _gc etc. records. But I kept getting "Cannot
contact any KDC for requested realm" and started digging into the problem a
bit.
I turned on all the dprint messages in krb5 library and found the error.
What can I do to get around this problem? I am at a loss now as to whether
the problem is on the Windows server side or the client. Please let me know.
Thanks again for your response,
Sowmya.
--
View this message in context: http://kerberos.996246.n3.nabble.com/Random-failure-while-communicating-with-KDC-tp39717p39736.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list