Kerberos/ADS and many groups
Matthew Geddes
musicalcarrion at gmail.com
Wed Dec 13 19:32:22 GMT 2006
Hi all,
I have a situation here where I cannot join a Active Directory using a
user account that is a member of a large number (500 in this test) of
groups using Samba 3.0.23c. I can also reproduce the problem thusly:
- kinit someuser at REALM.COM
- rpcclient -k ADS-DC
Problem is that Windows resets the connection after we attempt a
SessionSetupAndX:
read_socket_with_timeout: timeout read. read error = Connection reset by
peer.
Cannot connect to server. Error was NT_STATUS_INVALID_NETWORK_RESPONSE
There were problems with older Kerberos libraries not handling
KRB5_ERR_RESPONSE_TOO_BIG properly, but the libraries I'm using appear
to handle it correctly and the kinit works.
A domain join with the same user under Windows XP Pro works. Looking at
the packet captures, Windows is using port 139, whereas we're using 445
and Windows isn't fragmenting the SessionSetupAndX, but we are.
Can anyone offer any suggestions for things to try or look for?
thx,
Matt
More information about the samba-technical
mailing list