KRB5 error code 52
Douglas E. Engert
deengert at anl.gov
Thu Oct 7 17:28:32 EDT 2004
Wyllys Ingersoll wrote:
> MaxTokenSize is not a SEAM parameter. If the size of the token is too
> large to fit in a single UDP datagram when PAC data is included, the KDC
> switches to TCP.
> I think Windows 2003 Server has a flag that can be set on the user
> to force it to stop putting PAC data in the tickets for that user, which
> fix the problem.
The flag is set on the server principal in AD to tell AD not to add a PAC to
any service tickets for the server.
But your problem may be with the TGT.
> For previous releases (Windows 2000 server), I *think* if you disable
> the use of pre-authentication for those users then that will also cause the
> AD KDC to stop issuing PAC data with those tickets.
There is a way to tell the AD to not add a pack when getting a TGT,
(a preauth with PA_PAC_REQUEST) but this would require the SEAM kinit
to send this.
The real fix to to have SEAM support TCP to the KDC.
Temp fix, is to not have a user in too many groups.
> Tyson Oswald wrote:
>> So what is the MaxTokenSize in SEAM, I just got a formula from MS on
>> what they use for 2003. Also we don't have this issue in SEAM for
>> Solaris 8 so what's different?
>> Tyson Oswald
>> h.dadgari at comcast.net wrote in message
>> news:<100520041836.10730.4162E9A70001ACE5000029EA2200750784079D0E090B0E0BD208 at comcast.net>...
>>> SEAM 1.01 doesn't support TCP, later version on Solaris 10 support TCP
>>>> Kerberos experts,
>>>> I am using SEAM 1.01 on Solaris 9 and am authenticating to AD. When
>>>> others try they fail the login with the "KRB5 error code 52" error.
>>>> I read that this has something to do with UDP packet size and to try
>>>> TCP. Is there a way in SEAM to have it use TCP rather then UDP, or
>>>> to try UDP then TCP is that fails? I was hoping there was a
>>>> configuration parameter in krb5.conf.
>>>> Tyson Oswald
> Kerberos mailing list Kerberos at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the Kerberos