krb5 "Error Code 52" - UDP packet size - TCP fallback

Uli Schröder uli.schroeder at
Fri Jun 6 17:51:19 EDT 2003

Hi Ken!

> > When I run kinit for my testuser it works fine. The 
> testuser ist just 
> > a
> > member of the domain with read access to the directory. No 
> other groups 
> > or permissions. When I try to do a kinit for my own account 
> with all its 
> > group memberships, etc., I just get the error code 52. I 
> read on the 
> > internet that this is because the Windows 2000 server 
> switches from UDP 
> > to TCP if the maximum packet size is exceeded. I think this 
> happens with 
> > all my "normal" users.
> Yep, client-side TCP support wasn't in that release.  The 
> upcoming release from MIT will include it.

Is that already included in the snapshot or 1.3-beta versions on the
internet? Did MIT announce an estimated time for a release?

> > It seems like a lot of people managed to authenticate against AD.
> > Maybesomeone can help me with this problem and tell me how 
> he solved it.
> Do you define a very large number of groups for access 
> control that lots of people are in?  That's how we set my 
> account up to fail in the UDP-only case, for testing purposes...

I didn't have the time to experiment with different conditions. I just
used a very simple test account and my own account to check the
functionality. Yet still I am indeed in different groups that lots of
other people are in as well.

Kind regards,

More information about the Kerberos mailing list