[Samba] Cannot contact any KDC error when contacting Active Directory domains with a short domain name length

Tue Dec 8 01:35:36 UTC 2020

On Mon, Dec 07, 2020 at 05:23:10PM -0800, Doug Dlutz via samba wrote:
>I think I've found out the root cause is due to a UDP limit, and now my
>question is essentially "How can I force samba to communicate to Active
>Directory over TCP"?
>
>I took some packet captures, and noticed that using a long domain resulted
>in KRB5KRB_ERR_REPONSE_TOO_BIG response to the AS-REQ, and then the next
>AS-REQ was over TCP and all was fine. Then, I noticed that for short domain
>with short netbios name, it all fit within a single UDP packet. with a
>short domain name and large netbios name, it didn't fit within a single UDP
>packet and was getting fragmented, but for some reason isn't sending
>back KRB5KRB_ERR_REPONSE_TOO_BIG.
>
>If somebody knows a way to force "TCP always" in either smb.conf for Active
>Directory commands or in 'net ads ...' command flags that would be great. I
>can't find anything easily documented on
>https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html or
>https://www.samba.org/samba/docs/current/man-html/net.8.html.
>
>I assumed samba would be using krb5 library underneath the hood and would
>respect udp_preference_limit in my krb5.conf, but that does not appear to
>be happening.

Looks like udp_preference_limit is only in the MIT krb5 source
code, not the built-in Heimdal code inside Samba.

If you're building without Active directory you can build
using --with-system-mitkrb5 and that should force the MIT
libraries that use "udp_preference_limit".