Kerberos/ADS and many groups
Dave Daugherty
dave.daugherty at centrify.com
Thu Dec 14 19:00:38 GMT 2006
Does net rpc join work? This may just postpone the problem...
Try the following smb.conf hack
[global]
max xmit = 65535
Dave Daugherty
>Matthew Geddes December 13, 2006 11:32 AM Wrote:
>
>Hi all,
>
>I have a situation here where I cannot join a Active Directory using a
>user account that is a member of a large number (500 in this test) of
>groups using Samba 3.0.23c. I can also reproduce the problem thusly:
>
> - kinit someuser at REALM.COM
> - rpcclient -k ADS-DC
>
>Problem is that Windows resets the connection after we attempt a
>SessionSetupAndX:
>
>read_socket_with_timeout: timeout read. read error = Connection reset
by
>peer.
>Cannot connect to server. Error was NT_STATUS_INVALID_NETWORK_RESPONSE
>
>There were problems with older Kerberos libraries not handling
>KRB5_ERR_RESPONSE_TOO_BIG properly, but the libraries I'm using appear
>to handle it correctly and the kinit works.
>
>A domain join with the same user under Windows XP Pro works. Looking at
>the packet captures, Windows is using port 139, whereas we're using 445
>and Windows isn't fragmenting the SessionSetupAndX, but we are.
>
>Can anyone offer any suggestions for things to try or look for?
>
>thx,
>Matt
More information about the samba-technical
mailing list