[Samba] Cannot contact any KDC error when contacting Active Directory domains with a short domain name length

Doug Dlutz ddlutz at google.com
Tue Dec 8 01:23:10 UTC 2020

I think I've found out the root cause is due to a UDP limit, and now my
question is essentially "How can I force samba to communicate to Active
Directory over TCP"?

I took some packet captures, and noticed that using a long domain resulted
in KRB5KRB_ERR_REPONSE_TOO_BIG response to the AS-REQ, and then the next
AS-REQ was over TCP and all was fine. Then, I noticed that for short domain
with short netbios name, it all fit within a single UDP packet. with a
short domain name and large netbios name, it didn't fit within a single UDP
packet and was getting fragmented, but for some reason isn't sending

If somebody knows a way to force "TCP always" in either smb.conf for Active
Directory commands or in 'net ads ...' command flags that would be great. I
can't find anything easily documented on
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html or

I assumed samba would be using krb5 library underneath the hood and would
respect udp_preference_limit in my krb5.conf, but that does not appear to
be happening.

More information about the samba mailing list