On Tue, 2012-09-04 at 17:50 +0000, Wojtak, Greg (Superfly) wrote: > On 2012-09-04 12:17 PM, "Jakub Hrozek" <[email protected]> wrote: > > >On Tue, Sep 04, 2012 at 04:00:57PM +0000, Wojtak, Greg (Superfly) wrote: > >> Every once in a while with SSSD, we run into a problem where we aren't > >>able to get user information or authenticate users. We are using > >>ldap/kerberos against an Active Directory set up over SSL (LDAPS) and we > >>see the following message in the logs: > >> > >> encoded packet size too big (813957100 > 16777215) > >> > > > >Hi Greg, > > > >are you using ldap:// or ldaps:// schema to connect to the AD server? > > > >If you are getting the same error with ldapsearch & friends, then the > >issue is not inside SSSD. This error happens when the AD issues a PAC > >that is too big for the SASL library to handle -- the PAC contains > >information about users and groups as well and might grow in a very > >large organization. > > > >> From what I've been able to gather, this is something to do with the > >>cyrus-sasl package. I've also seen this error pop up when doing > >>operations with the openldap-clients (ldapsearch, ldapmodify). I've > >>found that by specifying the minssf and maxssf values in the ldap* > >>operations that the operations would then succeed. > >> > >> I'm wondering if the same type of fix would work for SSSD? Is there a > >>way to specify the SSF of the SASL operations that SSSD uses? Is there > >>another workaround for this? > >> > > > >You can use the ldap_sasl_minssf option to fine-tune the SSF. The code > >path that uses the option value is the same as openldap-clients > >utilities use, so if you were able to find a value that works for you > >with ldapsearch, then the same should work with the SSSD, too. > >_______________________________________________ > >sssd-users mailing list > >[email protected] > >https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > I am not specifying a schema but verified that sssd is using ldaps:// - > tcpdump and netstat show connections to my DC's on port 636 and none on > 389. > > I'll play around with the ldap_sasl_minssf and see if that causes the > errors to disappear (similar to how ldap* commands did) and report back. > > Hate to sound thick, but what exactly is a PAC? I've seen it in related > threads and searches but have been unable to find a decent definition...
http://msdn.microsoft.com/en-us/library/cc237917%28v=prot.13%29.aspx However it comes into play only when using GSSAPI for LDAP binds. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
