KRB5 error code 52 while getting initial credentials

Kevin Coffman kwc at citi.umich.edu
Thu Mar 13 13:16:05 EDT 2008


The Windows KDC adds more information in the ticket, making it larger
than can be (safely) carried with UDP.  That is why you see the
problem when talking to a Windows KDC, but not an MIT KDC.

The cross-domain thing is not involved in the problem.  Upgrade your
client Kerberos to a recent version and you'll be happier.

K.C.

On Thu, Mar 13, 2008 at 2:40 AM, sunilcnair <sunilcnair at hotmail.com> wrote:
>
>  Hello, Kevin,
>   Yes you are right , My KDC in domain xx.com is Windows and my cleint
>  test.co.yy is a Linux client with krb51.2.7.
>  my client does not have a KDC in the domain co.yy . So no kerberos
>  environment. I have gone for krb51.2.7 and i did some changes to the mapping
>  in domain realm section in krb5.conf file.
>
>  Now this error seems strange.
>  What should i do?
>
>  u have told me to go for new upgrade.
>
>  let me tell you one more scenario.
>
>  I created a test client machine in KDC domain xx.com. The machine hostname
>  pilot.xx.com
>  i have gone for krb51.2.7 and this does not give any issues when doing Kinit
>  for ticket. It was successful
>
>  So then what is the issue with old version of kerberos?
>
>  one doubt is that my pilotserver (pilot.xx.com) was in the same domain as my
>  KDC (xx.com).
>  my test server (test.co.yy) is not in same domain .The domain is (co.yy) and
>  there is no KDC.
>  I have modified Domain realm section for mapping my test client with the KDC
>  domain xx.com.
>
>  Please help me solve this issue .
>
>  1.why the version problem didnt occur in my pilot server scenario under the
>  KDC domain.
>  2. why am i geting the error in test machine in another domain with no KDC
>  and mapping is done for cross domain.
>
>  Thanks
>  Sunil C
>
>
>
>
>
>  Kevin Coffman wrote:
>  >
>  > On Wed, Mar 12, 2008 at 2:05 AM, sunilcnair <sunilcnair at hotmail.com>
>  > wrote:
>  >>
>  >>  Hello all,
>  >>
>  >>  i am Sunil C. i have a domain named xx.com which has a KDC.
>  >>  i also have a domain co.yy where my server is. there is no KDC in it.
>  >>
>  >>  users are in xx.com domain.
>  >>
>  >>  but my servers are in (co.yy) domain.
>  >>
>  >>  i had set up a test scenario with a user and a server in domain (xx.com)
>  >>  since KDc was setup i got ticket and was able to authenticate well using
>  >>  kerberos.
>  >>
>  >>  my issue is that all my production servers are in domain (co.yy) which
>  >>  doesnt have a KDC. i want to authenticate and use the server services in
>  >>  that domain.
>  >>  setting up KDC is not feasible in both domains for me.
>  >>
>  >>  now i have done some configuration in krb5.conf file on my server
>  >>  (test.co.yy)
>  >>
>  >>  [domain_realm]
>  >>  xx.com = XX.COM
>  >>  .xx.com = XX.COM
>  >>  co.yy = XX.COM
>  >>  .co.yy = XX.COM
>  >>
>  >>  this shows that my domain co.yy which doesnnot have a KDC , i have
>  >> mapped it
>  >>  to the realm XX.COM .
>  >>
>  >>  now i have some issues.
>  >>
>  >>  1) i tried to get a keytab from the KDC of XX.COM ( my server in co.yy)
>  >>
>  >>  > ktpass -princ HTTP/test.co.yy at XX.COM
>  >>
>  >>  2) i somehow managed to get a keytab .
>  >>  i copied into Apache folder and executed the command.
>  >>
>  >>  kinit -t /usr/local/apache/test03keytab HTTP/test.co.yy at XX.COM
>  >>  password: xxxx
>  >>
>  >>  error : kinit(v5) : KRB5 error code 52 while getting initial credentials
>  >>
>  >>  Please help me understand what is this erro.. is it some issue with
>  >> domain
>  >>  mapping configuration in krb5.conf file?  i am using kerberos 1.2.7
>  >> version.
>  >>
>  >>  Thanks
>  >>
>  >>  Sunil C
>  >>
>  >
>  > Error 52 is KRB5KRB_ERR_RESPONSE_TOO_BIG (see krb5.h).  This means
>  > that the response is too big for a UDP packet.  It is not clear from
>  > your description, but I'm assuming that your KDC is an Active
>  > Directory KDC, and your client is krb5-1.2.7.  That is an ancient
>  > version and I'd suggest upgrading.  I believe that version does not
>  > have TCP support.  If it did, it would attempt switching to TCP when
>  > seeing this error.
>  >
>  > K.C.
>
> > ________________________________________________
>  > Kerberos mailing list           Kerberos at mit.edu
>  > https://mailman.mit.edu/mailman/listinfo/kerberos
>  >
>  >
>
>  --
>  View this message in context: http://www.nabble.com/KRB5-error-code-52-while-getting-initial-credentials-tp15998090p16022039.html
>
>
> Sent from the Kerberos - General mailing list archive at Nabble.com.
>
>  ________________________________________________
>  Kerberos mailing list           Kerberos at mit.edu
>  https://mailman.mit.edu/mailman/listinfo/kerberos
>
>



More information about the Kerberos mailing list