[Samba] Cannot contact any KDC error when contacting Active Directory domains with a short domain name length

Jeremy Allison jra at samba.org
Tue Dec 8 04:29:15 UTC 2020


On Mon, Dec 07, 2020 at 05:23:10PM -0800, Doug Dlutz via samba wrote:
>I think I've found out the root cause is due to a UDP limit, and now my
>question is essentially "How can I force samba to communicate to Active
>Directory over TCP"?
>
>I took some packet captures, and noticed that using a long domain resulted
>in KRB5KRB_ERR_REPONSE_TOO_BIG response to the AS-REQ, and then the next
>AS-REQ was over TCP and all was fine. Then, I noticed that for short domain
>with short netbios name, it all fit within a single UDP packet. with a
>short domain name and large netbios name, it didn't fit within a single UDP
>packet and was getting fragmented, but for some reason isn't sending
>back KRB5KRB_ERR_REPONSE_TOO_BIG.

That may be because it's an intermediate router that is
fragmenting the UDP packet, not the sending AD-DC.

The AD-DC sends a single UDP packet reply, which fits
inside the MTU of the link. But then the packet
traverses a link with a smaller MTU, and the router
between the large MTU link and the smaller MTU link
can fragment the UDP packet.

Don't think the client code copes with that.

If you do a wireshark trace on the AD-DC
sending the UDP reply, does it set the
IPv4 Don't Fragment (DF) flag bit ?

If this is IPv6 ignore all the above of course :-).



More information about the samba mailing list