Bug 1399596

Summary: [RFE] Add udp_preference_limit = 0 when joining an AD domain
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: realmdAssignee: Sumit Bose <sbose>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: pkis
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-01 16:05:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jakub Hrozek 2016-11-29 11:17:43 UTC 
Description of problem:
The Kerberos tickets issued by AD KDCs are often quite large because the ticket also contains the PAC blob with additional authorization data about the user. The size if too large for UDP transport typically and causes unnecessary fallbacks to TPC.

It would make sense to default to TCP in the first place.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. join an AD domain
2. log in as an AD user, preferably one who is a member of a large amount of groups
3. observe traffic with tcpdump, wireshark or just inspect the sssd log files

Actual results:
libkrb5 first tries UDP and then switches to TCP

Expected results:
TCP is used from the start

Additional info:
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1399262 for additional discussion.
Comment 1 Jakub Hrozek 2016-12-01 16:05:36 UTC 
We decided to let sssd itself create this file in the end. Closing.