Re: KRB5 error code 52

Thu, 07 Oct 2004 14:33:34 -0700



Wyllys Ingersoll wrote:

MaxTokenSize is not a SEAM parameter. If the size of the token is too
large to fit in a single UDP datagram when PAC data is included, the KDC
switches to TCP. I think Windows 2003 Server has a flag that can be set on the user principals
to force it to stop putting PAC data in the tickets for that user, which will
fix the problem.


The flag is set on the server principal in AD to tell AD not to add a PAC to
any service tickets for the server.

See: http://support.microsoft.com/?kbid=832572

But your problem may be with the TGT.

For previous releases (Windows 2000 server), I *think* if you disable
the use of pre-authentication for those users then that will also cause the
AD KDC to stop issuing PAC data with those tickets.


There is a way to tell the AD to not add a pack when getting a TGT,
(a preauth with PA_PAC_REQUEST) but this would require the SEAM kinit
to send this.

The real fix to to have SEAM support TCP to the KDC.

Temp fix, is to not have a user in too many groups.


-Wyllys



Tyson Oswald wrote:

So what is the MaxTokenSize in SEAM, I just got a formula from MS on
what they use for 2003.  Also we don't have this issue in SEAM for
Solaris 8 so what's different?

thanks,
Tyson Oswald

[EMAIL PROTECTED] wrote in message news:<[EMAIL PROTECTED]>... 



SEAM 1.01 doesn't support TCP, later version on Solaris 10 support TCP

Hooshang




Kerberos experts,

I am using SEAM 1.01 on Solaris 9 and am authenticating to AD. When others try they fail the login with the "KRB5 error code 52" error. I read that this has something to do with UDP packet size and to try TCP. Is there a way in SEAM to have it use TCP rather then UDP, or to try UDP then TCP is that fails? I was hoping there was a configuration parameter in krb5.conf.

thanks,
Tyson Oswald
_______________________________________________

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to