Bug 1399596 - [RFE] Add udp_preference_limit = 0 when joining an AD domain
Summary: [RFE] Add udp_preference_limit = 0 when joining an AD domain
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: realmd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 11:17 UTC by Jakub Hrozek
Modified: 2016-12-01 16:05 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-01 16:05:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jakub Hrozek 2016-11-29 11:17:43 UTC 
Description of problem:
The Kerberos tickets issued by AD KDCs are often quite large because the ticket also contains the PAC blob with additional authorization data about the user. The size if too large for UDP transport typically and causes unnecessary fallbacks to TPC.

It would make sense to default to TCP in the first place.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. join an AD domain
2. log in as an AD user, preferably one who is a member of a large amount of groups
3. observe traffic with tcpdump, wireshark or just inspect the sssd log files

Actual results:
libkrb5 first tries UDP and then switches to TCP

Expected results:
TCP is used from the start

Additional info:
Please see https://bugzilla.redhat.com/show_bug.cgi?id=1399262 for additional discussion.
Comment 1 Jakub Hrozek 2016-12-01 16:05:36 UTC 
We decided to let sssd itself create this file in the end. Closing.
Note You need to log in before you can comment on or make changes to this bug.