KRB5 error code 52

Douglas E. Engert deengert at anl.gov
Thu Oct 7 17:28:32 EDT 2004 


Wyllys Ingersoll wrote:
> 
> MaxTokenSize is not a SEAM parameter.     If the size of the token is too
> large to fit in a single UDP datagram when PAC data is included,  the KDC
> switches to TCP.  
> I think Windows 2003 Server  has a flag that can be set on the user 
> principals
> to force it to stop putting PAC data in the tickets for that user, which 
> will
> fix the problem.
> 

The flag is set on the server principal in AD to tell AD not to add a PAC to
any service tickets for the server.

See: http://support.microsoft.com/?kbid=832572

But your problem may be with the TGT.

> For previous releases (Windows 2000 server), I *think* if you disable
> the use of pre-authentication for those users then that will also cause the
> AD KDC to stop issuing PAC data with those tickets.

There is a way to tell the AD to not add a pack when getting a TGT,
(a preauth with PA_PAC_REQUEST) but this would require the SEAM kinit
to send this.

The real fix to to have SEAM support TCP to the KDC.

Temp fix, is to not have a user in too many groups.

> 
> -Wyllys
> 
> 
> 
> Tyson Oswald wrote:
> 
>> So what is the MaxTokenSize in SEAM, I just got a formula from MS on
>> what they use for 2003.  Also we don't have this issue in SEAM for
>> Solaris 8 so what's different?
>>
>> thanks,
>> Tyson Oswald
>>
>> h.dadgari at comcast.net wrote in message 
>> news:<100520041836.10730.4162E9A70001ACE5000029EA2200750784079D0E090B0E0BD208 at comcast.net>... 
>>
>>  
>>
>>> SEAM 1.01 doesn't support TCP, later version on Solaris 10 support TCP
>>>
>>> Hooshang
>>>
>>>
>>>   
>>>
>>>> Kerberos experts,
>>>>
>>>> I am using SEAM 1.01 on Solaris 9 and am authenticating to AD.  When 
>>>> others try they fail the login with the "KRB5 error code 52" error.  
>>>> I read that this has something to do with UDP packet size and to try 
>>>> TCP.  Is there a way in SEAM to have it use TCP rather then UDP, or 
>>>> to try UDP then TCP is that fails?  I was hoping there was a 
>>>> configuration parameter in krb5.conf.
>>>>
>>>> thanks,
>>>> Tyson Oswald
>>>> _______________________________________________
>>>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list