Kerberos/ADS and many groups

Dave Daugherty dave.daugherty at centrify.com
Thu Dec 14 19:00:38 GMT 2006


Does net rpc join work? This may just postpone the problem...

Try the following smb.conf hack

[global]
    max xmit = 65535

Dave Daugherty


>Matthew Geddes December 13, 2006 11:32 AM Wrote:
>
>Hi all,
>
>I have a situation here where I cannot join a Active Directory using a 
>user account that is a member of a large number (500 in this test) of 
>groups using Samba 3.0.23c. I can also reproduce the problem thusly:
>
>   - kinit someuser at REALM.COM
>   - rpcclient -k ADS-DC
>
>Problem is that Windows resets the connection after we attempt a 
>SessionSetupAndX:
>
>read_socket_with_timeout: timeout read. read error = Connection reset
by 
>peer.
>Cannot connect to server.  Error was NT_STATUS_INVALID_NETWORK_RESPONSE
>
>There were problems with older Kerberos libraries not handling 
>KRB5_ERR_RESPONSE_TOO_BIG properly, but the libraries I'm using appear 
>to handle it correctly and the kinit works.
>
>A domain join with the same user under Windows XP Pro works. Looking at

>the packet captures, Windows is using port 139, whereas we're using 445

>and Windows isn't fragmenting the SessionSetupAndX, but we are.
>
>Can anyone offer any suggestions for things to try or look for?
>
>thx,
>Matt



More information about the samba-technical mailing list