KRB5 error code 52 while getting initial credentials

sunilcnair sunilcnair at hotmail.com
Thu Mar 13 02:40:11 EDT 2008


Hello, Kevin,
 Yes you are right , My KDC in domain xx.com is Windows and my cleint
test.co.yy is a Linux client with krb51.2.7. 
my client does not have a KDC in the domain co.yy . So no kerberos
environment. I have gone for krb51.2.7 and i did some changes to the mapping
in domain realm section in krb5.conf file.

Now this error seems strange.  
What should i do? 

u have told me to go for new upgrade.

let me tell you one more scenario.

I created a test client machine in KDC domain xx.com. The machine hostname
pilot.xx.com 
i have gone for krb51.2.7 and this does not give any issues when doing Kinit
for ticket. It was successful

So then what is the issue with old version of kerberos? 

one doubt is that my pilotserver (pilot.xx.com) was in the same domain as my
KDC (xx.com).
my test server (test.co.yy) is not in same domain .The domain is (co.yy) and
there is no KDC. 
I have modified Domain realm section for mapping my test client with the KDC
domain xx.com.

Please help me solve this issue . 

1.why the version problem didnt occur in my pilot server scenario under the
KDC domain.
2. why am i geting the error in test machine in another domain with no KDC
and mapping is done for cross domain.

Thanks
Sunil C



Kevin Coffman wrote:
> 
> On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair <sunilcnair at hotmail.com>
> wrote:
>>
>>  Hello all,
>>
>>  i am Sunil C. i have a domain named xx.com which has a KDC.
>>  i also have a domain co.yy where my server is. there is no KDC in it.
>>
>>  users are in xx.com domain.
>>
>>  but my servers are in (co.yy) domain.
>>
>>  i had set up a test scenario with a user and a server in domain (xx.com)
>>  since KDc was setup i got ticket and was able to authenticate well using
>>  kerberos.
>>
>>  my issue is that all my production servers are in domain (co.yy) which
>>  doesnt have a KDC. i want to authenticate and use the server services in
>>  that domain.
>>  setting up KDC is not feasible in both domains for me.
>>
>>  now i have done some configuration in krb5.conf file on my server
>>  (test.co.yy)
>>
>>  [domain_realm]
>>  xx.com = XX.COM
>>  .xx.com = XX.COM
>>  co.yy = XX.COM
>>  .co.yy = XX.COM
>>
>>  this shows that my domain co.yy which doesnnot have a KDC , i have
>> mapped it
>>  to the realm XX.COM .
>>
>>  now i have some issues.
>>
>>  1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy)
>>
>>  > ktpass -princ HTTP/test.co.yy at XX.COM
>>
>>  2) i somehow managed to get a keytab .
>>  i copied into Apache folder and executed the command.
>>
>>  kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
>>  password: xxxx
>>
>>  error : kinit(v5) : KRB5 error code 52 while getting initial credentials
>>
>>  Please help me understand what is this erro.. is it some issue with
>> domain
>>  mapping configuration in krb5.conf file?  i am using kerberos 1.2.7
>> version.
>>
>>  Thanks
>>
>>  Sunil C
>>
> 
> Error 52 is KRB5KRB_ERR_RESPONSE_TOO_BIG (see krb5.h).  This means
> that the response is too big for a UDP packet.  It is not clear from
> your description, but I'm assuming that your KDC is an Active
> Directory KDC, and your client is krb5-1.2.7.  That is an ancient
> version and I'd suggest upgrading.  I believe that version does not
> have TCP support.  If it did, it would attempt switching to TCP when
> seeing this error.
> 
> K.C.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/KRB5-error-code-52-while-getting-initial-credentials-tp15998090p16022039.html
Sent from the Kerberos - General mailing list archive at Nabble.com.




More information about the Kerberos mailing list