obtaining tickets by TCP - Kerberos

This is a discussion on obtaining tickets by TCP - Kerberos ; Colleagues, Is there a way to configure a Kerberos client to use TCP for obtaining tickets, other that explicitly listing all KDC's in krb5.conf with the "tcp" prefix? I want to be able to prefer TCP transport and still retain ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: obtaining tickets by TCP

  1. obtaining tickets by TCP

    Colleagues,

    Is there a way to configure a Kerberos client to use TCP for obtaining
    tickets, other that explicitly listing all KDC's in krb5.conf with
    the "tcp" prefix?

    I want to be able to prefer TCP transport and still retain the
    possibility of using DNS SRV records to lookup KDCs.

    TIA for any input.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  2. Re: obtaining tickets by TCP

    On Sep 11, 2008, at 13:03, Victor Sudakov wrote:
    > Colleagues,
    >
    > Is there a way to configure a Kerberos client to use TCP for obtaining
    > tickets, other that explicitly listing all KDC's in krb5.conf with
    > the "tcp" prefix?
    >
    > I want to be able to prefer TCP transport and still retain the
    > possibility of using DNS SRV records to lookup KDCs.

    The setting "udp_preference_limit" (under libdefaults) indicates the
    minimum outgoing packet size for which the library will try TCP
    first. If it doesn't get through with TCP, it will still try UDP;
    this only controls the order.

    Ken

  3. Re: obtaining tickets by TCP

    Ken Raeburn wrote:
    > >
    > > Is there a way to configure a Kerberos client to use TCP for obtaining
    > > tickets, other that explicitly listing all KDC's in krb5.conf with
    > > the "tcp" prefix?
    > >
    > > I want to be able to prefer TCP transport and still retain the
    > > possibility of using DNS SRV records to lookup KDCs.

    > The setting "udp_preference_limit" (under libdefaults) indicates the
    > minimum outgoing packet size for which the library will try TCP
    > first. If it doesn't get through with TCP, it will still try UDP;
    > this only controls the order.

    Sorry, I did not mention I was talking about Heimdal.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  4. Re: obtaining tickets by TCP


    12 sep 2008 kl. 09.59 skrev Victor Sudakov:

    >>> Is there a way to configure a Kerberos client to use TCP for
    >>> obtaining
    >>> tickets, other that explicitly listing all KDC's in krb5.conf with
    >>> the "tcp" prefix?
    >>>

    Default protocol in Heimdal is udp, there is no way other then you
    described to override it.

    What problem do you have that require tcp ?

    Love


  5. Re: obtaining tickets by TCP

    Love H?rnquist ?strand wrote:

    > >>> Is there a way to configure a Kerberos client to use TCP for
    > >>> obtaining
    > >>> tickets, other that explicitly listing all KDC's in krb5.conf with
    > >>> the "tcp" prefix?
    > >>>

    > Default protocol in Heimdal is udp, there is no way other then you
    > described to override it.

    > What problem do you have that require tcp ?

    The problem is with a Heimdal client and Microsoft KDC:

    $ kinit sudakovva@SIBPTUS.TRANSNEFT.RU
    sudakovva@SIBPTUS.TRANSNEFT.RU's Password:
    kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
    $

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  6. Re: obtaining tickets by TCP

    > The problem is with a Heimdal client and Microsoft KDC:
    >
    > $ kinit sudakovva@SIBPTUS.TRANSNEFT.RU
    > sudakovva@SIBPTUS.TRANSNEFT.RU's Password:
    > kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
    > $

    What version is this ? It should be fixed (again) in releases after
    Jun 12 2007. Heimdal 1.1 for sure.

    Love


  7. Re: obtaining tickets by TCP

    Love H?rnquist ?strand wrote:
    > > The problem is with a Heimdal client and Microsoft KDC:
    > >
    > > $ kinit sudakovva@SIBPTUS.TRANSNEFT.RU
    > > sudakovva@SIBPTUS.TRANSNEFT.RU's Password:
    > > kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
    > > $

    > What version is this ?

    ws233# klist --version
    klist (Heimdal 0.6.3)
    Copyright 1999-2004 Kungliga Tekniska Högskolan
    Send bug-reports to heimdal-bugs@pdc.kth.se
    ws233# uname -sr
    FreeBSD 7.0-RELEASE
    ws233#


    > It should be fixed (again) in releases after
    > Jun 12 2007. Heimdal 1.1 for sure.

    It is FreeBSD's stock Kerberos.
    Can you give me the URL for the fix? I could submit a PR to the FreeBSD team.


    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  8. Re: obtaining tickets by TCP


    13 sep 2008 kl. 07.57 skrev Victor Sudakov:

    > Love H?rnquist ?strand wrote:
    >>> The problem is with a Heimdal client and Microsoft KDC:
    >>>
    >>> $ kinit sudakovva@SIBPTUS.TRANSNEFT.RU
    >>> sudakovva@SIBPTUS.TRANSNEFT.RU's Password:
    >>> kinit: krb5_get_init_creds: Response too big for UDP, retry with TCP
    >>> $
    >
    >> What version is this ?
    >
    > ws233# klist --version
    > klist (Heimdal 0.6.3)

    0.6.3 is very old.

    > Copyright 1999-2004 Kungliga Tekniska Högskolan
    > Send bug-reports to heimdal-bugs@pdc.kth.se
    > ws233# uname -sr
    > FreeBSD 7.0-RELEASE
    > ws233#
    >
    >
    >> It should be fixed (again) in releases after
    >> Jun 12 2007. Heimdal 1.1 for sure.
    >
    > It is FreeBSD's stock Kerberos.
    > Can you give me the URL for the fix? I could submit a PR to the
    > FreeBSD team.
    >

    http://www.h5l.org/fisheye/browse/he...12897&r2=12930

    Might be others too.

    Love


+ Reply to Thread
« Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3 | Kerberos credentials are defective »