2015-05-06 17:01 GMT+02:00 Greg Hudson <ghud...@mit.edu>: > On 05/06/2015 10:45 AM, Meike Stone wrote: >> I like to use kpasswd, but the kpasswd_server is behind a firewall and >> only TCP port 464 is allowed. >> But as i see, kpasswd only uses UDP. Setting udp_preference_limit to 0 >> (under libdefaults) >> didn't help. > > The intent of the changepw.c code is to try both UDP and TCP first > (typically beginning with a UDP query, but udp_preference_limit could > cause a TCP query to be tried first), and then retry with only TCP if it > gets back a KRB5KRB_ERR_RESPONSE_TOO_BIG error. > > As far as I know this code functions as intended. Can you describe in > more detail what leads you to believe that it is only trying UDP? Also, > what version are you using on the client, and what is running on the > kpasswd server?
The Client is KfW 4.0.1 32bit. The kpasswd Server is AD W2k8, udp and tcp (port 464) on the Server are open. On the firewall is a proxy firewall with a rule for port TCP 464. If I start kpasswd, I get at first a few port 88 (preauth) the I only see a UDP package port 464, no tries for TCP: 18:31:39.696660 IP (tos 0x0, ttl 128, id 31724, offset 0, flags [+], proto UDP (17), length 1500) 192.168.1.217.4350 > 192.168.1.20.464: UDP, length 1550 18:31:39.696737 IP (tos 0xc0, ttl 64, id 12852, offset 0, flags [none], proto ICMP (1), length 576) 192.168.1.20 > 192.168.1.217: ICMP 192.168.1.20 udp port 464 unreachable, length 556 (client 192.168.1.217 / proxy firewall: 92.168.1.20) Error message is: "kpasswd: Cannot contact any KDC for requested realm changing password" In the Sourcecode (kfw-4.0.1-src.zip) , it looks like it is hard coded (as above) and following lines: " if (code) { /* * Here we may want to switch to TCP on some errors. * right? */ break; } " Thanks Meike ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos