krb5 "Error Code 52" - UDP packet size - TCP fallback

Uli Schröder zuhause at
Wed Jun 11 12:07:25 EDT 2003

"Ken Raeburn" <raeburn at> schrieb im Newsbeitrag
news:tx1of15se7f.fsf at
> ... 
> > Nevertheless if I do a kinit for my my normal account it fails with
> > error code 52. No change between krb5-1.2.7 and krb5-1.3.
> Is it saying "KRB5 error code 52" exactly?  That shouldn't be in the
> source code for the 1.3 snapshot.  The error message is now "Response
> too big for UDP, retry with TCP", and shouldn't be displayed unless
> the server sends that error code over a TCP connection, or the client
> library thinks that TCP service isn't available for some reason, which
> should only happen if you have DNS SRV records that indicate only UDP
> service is available (try "dig _kerberos._udp.REALMNAME srv", and try
> with _tcp instead of _udp) and the config files don't list the KDCs at
> all.

I had another kinit in the my path. I wasn't aware of that. I thought I
had deleted all the old stuff. Now the new kinit workes great. I can use
kinit with my own account. No more error 52! :)

As usual a new problem came up after that. I cannot compile pam_krb5
anymore. Maybe I have to use different linking options.
Which pam_krb5 package would you recommend? I tried the one shipped with
RH9. I think the one at sourceforge is a different one. Are there any
plans to include a pam_krb5 in the distribution. Would be very
convenient. :-)

> If you are getting the "52" message, that may mean you aren't actually
> getting the 1.3 snapshot code for some reason.  (Did you build with
> shared libraries, and run programs in the build tree without
> installing the libraries?  I've done that sometimes.)

Indeed, I compiled as shared libs. I thought libraries are installed
when I do "make install"!?

> ...
> No, config files aren't installed by default.
> We should probably consider installing some as "examples", avoiding
> overwriting any installed versions.  But, at the same time, we
> probably want to move towards needing as little in them as possible,
> perhaps to the point of not needing them at all if we're really lucky.

I think this would be a good idea. At least it would be a bit more

Maybe I have to change this thread to the devel oder snapshot newsgroup.

Thanks for your great help so far! As I haven't done a lot with Linux,
Kerberos and PAM so far I'm thankful for any hint I can get.


More information about the Kerberos mailing list