For historical reasons, the administrator is member in lots of groups. As a result the ticket size is too big for UDB, so the W2k3-server sends an KRB5KRB_ERR_RESPONSE_TOO_BIG (Response too big for UDP, retry with TCP) error back to kinit.
Unfortunatly this case is not handled in lib/krb5/get_in_tck.c - krb5_get_in_cred(). Only the KRB5KDC_ERR_PREAUTH_REQUIRED error is handled.
Sorry for not responding eailer,
If you grap the latest heimdal-0.6-<date>.tar.gz snapshot it will contains code that support falling back to TCP when UDP failes or the error KRB5KRB_ERR_RESPONSE_TOO_BIG is returned.
If you don't want to upgrade you can force tcp in krb5.conf
[realms] MY.REALM = { kdc = tcp/my.first.kdc.my.realm kdc = tcp/my.second.kdc.my.realm }
I'm trying to get ADS support in Samba 3.0.11 on Solaris 8 to work. I am pretty close, but Samba doesn't recognize the 'realm' keyword in the smb.conf file. It seems to be okay with security = ads, but that doesn't do much good if it can't determine the realm. ;) Also, I'm running into the same udp-too-big error, and the above fix using /etc/krb5.conf does not work. I end up with:
kinit: krb5_get_init_creds: unable to reach any KDC in realm {MY.REALM}I'm pulling down the latest heimdal now, but I had to do a trick to get even 0.6.3 to compile -- I had to close permissions to /usr/include/gssapi (otherwise it complained about duplicate definitions of stuff). I tried using MIT's kerberos (1.4), but it has a problem finding freeifaddrs and getifaddrs:
gcc -L../../../lib -R/usr/local/lib -g -O2 -Wall
-Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow
-pedantic -o client client.o rpc_test_clnt.o \
-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lkrb5support -lresolv -lsocket -lnsl
Undefined first referenced
symbol in file
freeifaddrs ../../../lib/libkrb5.so
getifaddrs ../../../lib/libkrb5.so
ld: fatal: Symbol referencing errors. No output written to client
collect2: ld returned 1 exit statusThe only place I found those referenced were in the Heimdal files (in the libroken.a library). But I can't compile a shared version of that library, because --enable-shared for Heimdal results in huge lists of undefined symbols when compiling libsl.so.
I can't seem to win here. I saw Joseph Gaude's message that said:
I used: MIT Kerberos 1.3.4 OpenSSL 0.9.7d OpenLdap 2.2.14 Samba 3.0.7 all compiled from source. Do not use the Sunfreeware supplied packages as the libraries will not work.
Also, installed ncurses, popt, libiconv from Sunfreeware.
How did you get MID Kerberos to install? (i.e., where are its freeifaddrs and getifaddrs functions coming from?)
I've got OpenLdap 2.2.23 installed, OpenSSL 0.9.7d, Heimdal 0.6.3, and Samba 3.0.11.
Any ideas?
--Dave "Dragon" Michaels
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
