Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

krb5 "Error Code 52" - UDP packet size - TCP fallback

241 views
Skip to first unread message

Uli Schröder

unread,
Jun 10, 2003, 11:36:15 AM6/10/03
to kerb...@mit.edu
Hi all together! Hi Ken!

> >> Yep, client-side TCP support wasn't in that release. The
> >> upcoming release from MIT will include it.
> >
> > Is that already included in the snapshot or 1.3-beta versions on the

> > internet? Did MIT announce an estimated time for a release?
>
> Yes, it's been in the 1.3 code base for quite a while. Since well
> before we started the 1.3 branch, I believe.
>
> I don't know if we've announced a time for the release, so I'll just
> say "Real Soon Now". :-)

:-) Ok! This can mean a lot if an IT professional talks about "Real Soon
Now"...
In the meantime I'll try if the current snapshot can solve my problems.


> > I didn't have the time to experiment with different conditions. I
> > just used a very simple test account and my own account to check the

> > functionality. Yet still I am indeed in different groups that lots
> > of other people are in as well.
>
> That might do it. Is your test account (which I assume is also having

> the problem) also in lots of groups?

The test account is just a domain user with no other group memberships.
A kinit for him works (almost properly). At least no obvious error
message on the console. Nevertheless in Ethereal I can see an error
message. It says "KRB5KDC_ERR_PREAUTH_REQUIRED". I guess after that
error packet kinit tries a second time, this time with
preauthentication.
Is there a way to configure Kerberos to use preauthentication
immediately?
Nevertheless if I do a kinit for my my normal account it fails with
error code 52. No change between krb5-1.2.7 and krb5-1.3. Maybe it's a
mistake by me while configuring and compiling the snapshot. The binaries
are created and "make check" works. Still it looks to me like "make
install" doesn't copy the configuration files (i.e. krb5.conf) anywhere.
I used my old config file and checked for correct paths.

Cheers,
Uli


________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Ken Raeburn

unread,
Jun 10, 2003, 8:02:33 PM6/10/03
to kerb...@mit.edu
Uli Schröder <uli.sc...@gmx.net> writes:
> The test account is just a domain user with no other group memberships.
> A kinit for him works (almost properly). At least no obvious error
> message on the console. Nevertheless in Ethereal I can see an error
> message. It says "KRB5KDC_ERR_PREAUTH_REQUIRED". I guess after that
> error packet kinit tries a second time, this time with
> preauthentication.

Okay, that sounds good. Could be the group membership, then. Of
course, it may well be some other factor I'm not aware of....

> Is there a way to configure Kerberos to use preauthentication
> immediately?

Not currently, in the MIT implementation. I think the library
routines have some hooks for indicating that preauth should be used,
but I don't think there's any way to use those hooks in the
MIT-provided clients without some code changes.

> Nevertheless if I do a kinit for my my normal account it fails with
> error code 52. No change between krb5-1.2.7 and krb5-1.3.

Is it saying "KRB5 error code 52" exactly? That shouldn't be in the
source code for the 1.3 snapshot. The error message is now "Response
too big for UDP, retry with TCP", and shouldn't be displayed unless
the server sends that error code over a TCP connection, or the client
library thinks that TCP service isn't available for some reason, which
should only happen if you have DNS SRV records that indicate only UDP
service is available (try "dig _kerberos._udp.REALMNAME srv", and try
with _tcp instead of _udp) and the config files don't list the KDCs at
all.

If you are getting the "52" message, that may mean you aren't actually
getting the 1.3 snapshot code for some reason. (Did you build with
shared libraries, and run programs in the build tree without
installing the libraries? I've done that sometimes.)

> Maybe it's a
> mistake by me while configuring and compiling the snapshot. The binaries
> are created and "make check" works. Still it looks to me like "make
> install" doesn't copy the configuration files (i.e. krb5.conf) anywhere.

No, config files aren't installed by default.

We should probably consider installing some as "examples", avoiding
overwriting any installed versions. But, at the same time, we
probably want to move towards needing as little in them as possible,
perhaps to the point of not needing them at all if we're really lucky.

Ken

Uli Schröder

unread,
Jun 11, 2003, 12:29:16 PM6/11/03
to kerb...@mit.edu
"Ken Raeburn" <rae...@mit.edu> schrieb im Newsbeitrag
news:tx1of15...@mit.edu...
> ...
> > Nevertheless if I do a kinit for my my normal account it fails with
> > error code 52. No change between krb5-1.2.7 and krb5-1.3.
>
> Is it saying "KRB5 error code 52" exactly? That shouldn't be in the
> source code for the 1.3 snapshot. The error message is now "Response
> too big for UDP, retry with TCP", and shouldn't be displayed unless
> the server sends that error code over a TCP connection, or the client
> library thinks that TCP service isn't available for some reason, which
> should only happen if you have DNS SRV records that indicate only UDP
> service is available (try "dig _kerberos._udp.REALMNAME srv", and try
> with _tcp instead of _udp) and the config files don't list the KDCs at
> all.

I had another kinit in the my path. I wasn't aware of that. I thought I
had deleted all the old stuff. Now the new kinit workes great. I can use
kinit with my own account. No more error 52! :)

As usual a new problem came up after that. I cannot compile pam_krb5
anymore. Maybe I have to use different linking options.
Which pam_krb5 package would you recommend? I tried the one shipped with
RH9. I think the one at sourceforge is a different one. Are there any
plans to include a pam_krb5 in the distribution. Would be very
convenient. :-)

> If you are getting the "52" message, that may mean you aren't actually
> getting the 1.3 snapshot code for some reason. (Did you build with
> shared libraries, and run programs in the build tree without
> installing the libraries? I've done that sometimes.)

Indeed, I compiled as shared libs. I thought libraries are installed
when I do "make install"!?

> ...


> No, config files aren't installed by default.
>
> We should probably consider installing some as "examples", avoiding
> overwriting any installed versions. But, at the same time, we
> probably want to move towards needing as little in them as possible,
> perhaps to the point of not needing them at all if we're really lucky.

I think this would be a good idea. At least it would be a bit more
comfortable.

Maybe I have to change this thread to the devel oder snapshot newsgroup.

Thanks for your great help so far! As I haven't done a lot with Linux,
Kerberos and PAM so far I'm thankful for any hint I can get.

Cheers,
Uli

Ken Raeburn

unread,
Jun 11, 2003, 2:21:08 PM6/11/03
to
zuh...@ulischroeder.com (Uli Schröder) writes:

> I had another kinit in the my path. I wasn't aware of that. I thought I
> had deleted all the old stuff. Now the new kinit workes great. I can use
> kinit with my own account. No more error 52! :)

Good, I'm glad to hear it.

> As usual a new problem came up after that. I cannot compile pam_krb5
> anymore. Maybe I have to use different linking options.

Interesting. What do you need to change? Does it work okay with a
different set of linking options?

> Which pam_krb5 package would you recommend? I tried the one shipped with
> RH9. I think the one at sourceforge is a different one. Are there any
> plans to include a pam_krb5 in the distribution. Would be very
> convenient. :-)

Not presently, sorry. I agree it would be useful, but we're actually
thinking of going the other direction, and reducing the application
support. (They'd probably still be distributed by someone, just not
as part of the core package.)

> Indeed, I compiled as shared libs. I thought libraries are installed
> when I do "make install"!?

They are, but at least with static linking, you can try the programs
out without having run "make install". The default is static linking,
and I occasionally forget I configured a tree for shared libraries
when I go to test some changes....

Ken

uli.sc...@gmx.net

unread,
Jun 12, 2003, 4:37:12 AM6/12/03
to kerb...@mit.edu
> zuh...@ulischroeder.com (Uli Schröder) writes:
>
> ...

> > As usual a new problem came up after that. I cannot compile pam_krb5
> > anymore. Maybe I have to use different linking options.
>
> Interesting. What do you need to change? Does it work okay with a
> different set of linking options?

I couldn't get the pam_krb5 from RedHat compiling so I tried the one from
SourceForge. The latter compiles without any errors messages. "make check" also
doesn't come up with any messages. Still if I activate the module for pam.d,
authentication doesn't work. I get the following messages in my syslog:

Jun 12 10:03:21 rh9test login: PAM unable to
dlopen(/lib/security/$ISA/pam_krb5.so)
Jun 12 10:03:21 rh9test login: PAM [dlerror:
/lib/security/../../lib/security/pam_krb5.so: undefined symbol: krb_mk_in_tkt_preauth]
Jun 12 10:03:21 rh9test login: PAM adding faulty module:
/lib/security/$ISA/pam_krb5.so

Regards,
Uli

--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Ken Raeburn

unread,
Jun 12, 2003, 6:59:31 PM6/12/03
to kerb...@mit.edu
uli.sc...@gmx.net writes:

> doesn't come up with any messages. Still if I activate the module for pam.d,
> authentication doesn't work. I get the following messages in my syslog:
>
> Jun 12 10:03:21 rh9test login: PAM unable to
> dlopen(/lib/security/$ISA/pam_krb5.so)
> Jun 12 10:03:21 rh9test login: PAM [dlerror:
> /lib/security/../../lib/security/pam_krb5.so: undefined symbol: krb_mk_in_tkt_preauth]
> Jun 12 10:03:21 rh9test login: PAM adding faulty module:
> /lib/security/$ISA/pam_krb5.so

That's a krb4 library routine -- did it link against -lkrb4?

Ken

Uli Schröder

unread,
Jun 12, 2003, 7:51:26 PM6/12/03
to kerb...@mit.edu
> ...

> > doesn't come up with any messages. Still if I activate the
> module for
> > pam.d, authentication doesn't work. I get the following
> messages in my
> > syslog:
> >
> > Jun 12 10:03:21 rh9test login: PAM unable to
> > dlopen(/lib/security/$ISA/pam_krb5.so)
> > Jun 12 10:03:21 rh9test login: PAM [dlerror:
> > /lib/security/../../lib/security/pam_krb5.so: undefined symbol:
> > krb_mk_in_tkt_preauth] Jun 12 10:03:21 rh9test login: PAM adding
> > faulty module: /lib/security/$ISA/pam_krb5.so
>
> That's a krb4 library routine -- did it link against -lkrb4?

I realized that. pam_krb5 was linked against -lkrb4. Even though the
include paths were correct and I only have on set of kerberos libraries
on my system. I managed to get the RedHat version to compile against it.
Unfortunately, like the distribution from SourceForge, it comes up with
an error. Not exactly the same one. The RedHat version tells me that it
cannot find libkrb4.so.2. The file is in /usr/kerberos/lib. This path is
configured in ld.so.conf. To make sure the system knows it's there I
even created a symbolic link to the appropriate file in my lib
directory. Didn't work either.
After that I tried to remove all the "ifdefs" for krb4 stuff from the
sources of pam_krb5. Compilation worked great. No more error messages in
the system log because of missing files. Somehow the pam_krb5 module
doesn't send out anything to the AD server anymore. In the system logs I
can see that authentication is running. The kerberos module tells me
that uid and gid cannot be found. Ethereal tells me that 0 packets are
sent to or from the domain controller.

Cheers,
Uli

0 new messages