krb5 "Error Code 52" - UDP packet size - TCP fallback

Ken Raeburn raeburn at MIT.EDU
Tue Jun 10 19:30:28 EDT 2003

Uli Schröder <uli.schroeder at> writes:
> The test account is just a domain user with no other group memberships.
> A kinit for him works (almost properly). At least no obvious error
> message on the console. Nevertheless in Ethereal I can see an error
> message. It says "KRB5KDC_ERR_PREAUTH_REQUIRED". I guess after that
> error packet kinit tries a second time, this time with
> preauthentication.

Okay, that sounds good.  Could be the group membership, then.  Of
course, it may well be some other factor I'm not aware of....

> Is there a way to configure Kerberos to use preauthentication
> immediately?

Not currently, in the MIT implementation.  I think the library
routines have some hooks for indicating that preauth should be used,
but I don't think there's any way to use those hooks in the
MIT-provided clients without some code changes.

> Nevertheless if I do a kinit for my my normal account it fails with
> error code 52. No change between krb5-1.2.7 and krb5-1.3.

Is it saying "KRB5 error code 52" exactly?  That shouldn't be in the
source code for the 1.3 snapshot.  The error message is now "Response
too big for UDP, retry with TCP", and shouldn't be displayed unless
the server sends that error code over a TCP connection, or the client
library thinks that TCP service isn't available for some reason, which
should only happen if you have DNS SRV records that indicate only UDP
service is available (try "dig _kerberos._udp.REALMNAME srv", and try
with _tcp instead of _udp) and the config files don't list the KDCs at

If you are getting the "52" message, that may mean you aren't actually
getting the 1.3 snapshot code for some reason.  (Did you build with
shared libraries, and run programs in the build tree without
installing the libraries?  I've done that sometimes.)

>    Maybe it's a
> mistake by me while configuring and compiling the snapshot. The binaries
> are created and "make check" works. Still it looks to me like "make
> install" doesn't copy the configuration files (i.e. krb5.conf) anywhere.

No, config files aren't installed by default.

We should probably consider installing some as "examples", avoiding
overwriting any installed versions.  But, at the same time, we
probably want to move towards needing as little in them as possible,
perhaps to the point of not needing them at all if we're really lucky.


More information about the Kerberos mailing list