Dave Daugherty dave.daugherty at
Thu May 11 22:43:48 GMT 2006

It was a WAN environment with allegedly NetScreen firewalls, not running
"Jumbo Frames - 2400 bytes", but it was difficult to get clear answers
from the customer,

We were using CLAP RootDSE as a "ping" to make sure we connected to an
AD server, and once we started asking for just one attribute back, we
finally got responses.

In our test environments we typically see responses of 1500-2000 bytes
coming back, but my understanding is this may grow.

The tip off for us was seeing some of our DNS queries failing over to
TCP before responses came back.

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at] 
Sent: Thursday, May 11, 2006 10:08 AM
To: Dave Daugherty
Cc: Jim McDonough; tridge at; samba-technical at;
idra at; samba-technical at
Subject: Re: cldap

Hash: SHA1

Dave Daugherty wrote:

> Just slightly related to this...  We recently saw an issue 
> where if we ask for all attributes back from the
> rootDSE query, some firewalls discard large UDP packets.
> So be judicious for what you ask for.

Interesting.  Do you remember what value of N is considered
large ?  Also, did you run into problems with firewalls
internal to an AD domain ?  Or contacting DC across a WAN?

cheers, jerry
Samba                                    -------
Centeris                         -----------
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list