>
>
>> For historical reasons, the administrator is member in lots of groups.
As
>> a result the ticket size is too big for UDB, so the W2k3-server sends
an
>> KRB5KRB_ERR_RESPONSE_TOO_BIG (Response too big for UDP, retry with TCP)
>> error back to kinit.
>>
>> Unfortunatly this case is not handled in lib/krb5/get_in_tck.c -
>> krb5_get_in_cred(). Only the KRB5KDC_ERR_PREAUTH_REQUIRED error is
>> handled.
>
>Sorry for not responding eailer,
>
>If you grap the latest heimdal-0.6-<date>.tar.gz snapshot it will
contains
>code that support falling back to TCP when UDP failes or the error
>KRB5KRB_ERR_RESPONSE_TOO_BIG is returned.
>
>If you don't want to upgrade you can force tcp in krb5.conf
>
>[realms]
> MY.REALM = {
> kdc = tcp/my.first.kdc.my.realm
> kdc = tcp/my.second.kdc.my.realm
> }
>
I'm trying to get ADS support in Samba 3.0.11 on Solaris 8 to work. I
am pretty close, but Samba doesn't recognize the 'realm' keyword in
the
smb.conf file. It seems to be okay with security = ads, but that
doesn't do much good if it can't determine the realm. ;) Also, I'm
running into the same udp-too-big error, and the above fix using
/etc/krb5.conf does not work. I end up with:
kinit: krb5_get_init_creds: unable to reach any KDC in realm {MY.REALM}
I'm pulling down the latest heimdal now, but I had to do a trick to get
even 0.6.3 to compile -- I had to close permissions to
/usr/include/gssapi (otherwise it complained about duplicate definitions
of stuff). I tried using MIT's kerberos (1.4), but it has a problem
finding freeifaddrs and getifaddrs:
gcc -L../../../lib -R/usr/local/lib -g -O2 -Wall
-Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow
-pedantic -o client client.o rpc_test_clnt.o \
-lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
-lkrb5support -lresolv -lsocket -lnsl
Undefined first referenced
symbol in file
freeifaddrs ../../../lib/libkrb5.so
getifaddrs ../../../lib/libkrb5.so
ld: fatal: Symbol referencing errors. No output written to client
collect2: ld returned 1 exit status
The only place I found those referenced were in the Heimdal files (in
the libroken.a library). But I can't compile a shared version of that
library, because --enable-shared for Heimdal results in huge lists of
undefined symbols when compiling libsl.so.
I can't seem to win here. I saw Joseph Gaude's message that said:
>I used:
>MIT Kerberos 1.3.4
>OpenSSL 0.9.7d
>OpenLdap 2.2.14
>Samba 3.0.7
>all compiled from source. Do not use the Sunfreeware supplied packages as
>the libraries will not work.
>
>Also,
>installed ncurses, popt, libiconv from Sunfreeware.
>
How did you get MID Kerberos to install? (i.e., where are its
freeifaddrs and getifaddrs functions coming from?)
I've got OpenLdap 2.2.23 installed, OpenSSL 0.9.7d, Heimdal 0.6.3, and
Samba 3.0.11.
Any ideas?
--Dave "Dragon" Michaels
