KRB5 error code 52 while getting initial credentials

Kevin Coffman kwc at citi.umich.edu
Wed Mar 12 10:03:25 EDT 2008


On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair <sunilcnair at hotmail.com> wrote:
>
>  Hello all,
>
>  i am Sunil C. i have a domain named xx.com which has a KDC.
>  i also have a domain co.yy where my server is. there is no KDC in it.
>
>  users are in xx.com domain.
>
>  but my servers are in (co.yy) domain.
>
>  i had set up a test scenario with a user and a server in domain (xx.com)
>  since KDc was setup i got ticket and was able to authenticate well using
>  kerberos.
>
>  my issue is that all my production servers are in domain (co.yy) which
>  doesnt have a KDC. i want to authenticate and use the server services in
>  that domain.
>  setting up KDC is not feasible in both domains for me.
>
>  now i have done some configuration in krb5.conf file on my server
>  (test.co.yy)
>
>  [domain_realm]
>  xx.com = XX.COM
>  .xx.com = XX.COM
>  co.yy = XX.COM
>  .co.yy = XX.COM
>
>  this shows that my domain co.yy which doesnnot have a KDC , i have mapped it
>  to the realm XX.COM .
>
>  now i have some issues.
>
>  1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy)
>
>  > ktpass -princ HTTP/test.co.yy at XX.COM
>
>  2) i somehow managed to get a keytab .
>  i copied into Apache folder and executed the command.
>
>  kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
>  password: xxxx
>
>  error : kinit(v5) : KRB5 error code 52 while getting initial credentials
>
>  Please help me understand what is this erro.. is it some issue with domain
>  mapping configuration in krb5.conf file?  i am using kerberos 1.2.7 version.
>
>  Thanks
>
>  Sunil C
>

Error 52 is KRB5KRB_ERR_RESPONSE_TOO_BIG (see krb5.h).  This means
that the response is too big for a UDP packet.  It is not clear from
your description, but I'm assuming that your KDC is an Active
Directory KDC, and your client is krb5-1.2.7.  That is an ancient
version and I'd suggest upgrading.  I believe that version does not
have TCP support.  If it did, it would attempt switching to TCP when
seeing this error.

K.C.



More information about the Kerberos mailing list