KRB5 error code 52 while getting initial credentials
Kevin Coffman
kwc at citi.umich.edu
Wed Mar 12 10:03:25 EDT 2008
On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair <sunilcnair at hotmail.com> wrote:
>
> Hello all,
>
> i am Sunil C. i have a domain named xx.com which has a KDC.
> i also have a domain co.yy where my server is. there is no KDC in it.
>
> users are in xx.com domain.
>
> but my servers are in (co.yy) domain.
>
> i had set up a test scenario with a user and a server in domain (xx.com)
> since KDc was setup i got ticket and was able to authenticate well using
> kerberos.
>
> my issue is that all my production servers are in domain (co.yy) which
> doesnt have a KDC. i want to authenticate and use the server services in
> that domain.
> setting up KDC is not feasible in both domains for me.
>
> now i have done some configuration in krb5.conf file on my server
> (test.co.yy)
>
> [domain_realm]
> xx.com = XX.COM
> .xx.com = XX.COM
> co.yy = XX.COM
> .co.yy = XX.COM
>
> this shows that my domain co.yy which doesnnot have a KDC , i have mapped it
> to the realm XX.COM .
>
> now i have some issues.
>
> 1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy)
>
> > ktpass -princ HTTP/test.co.yy at XX.COM
>
> 2) i somehow managed to get a keytab .
> i copied into Apache folder and executed the command.
>
> kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
> password: xxxx
>
> error : kinit(v5) : KRB5 error code 52 while getting initial credentials
>
> Please help me understand what is this erro.. is it some issue with domain
> mapping configuration in krb5.conf file? i am using kerberos 1.2.7 version.
>
> Thanks
>
> Sunil C
>
Error 52 is KRB5KRB_ERR_RESPONSE_TOO_BIG (see krb5.h). This means
that the response is too big for a UDP packet. It is not clear from
your description, but I'm assuming that your KDC is an Active
Directory KDC, and your client is krb5-1.2.7. That is an ancient
version and I'd suggest upgrading. I believe that version does not
have TCP support. If it did, it would attempt switching to TCP when
seeing this error.
K.C.
More information about the Kerberos
mailing list