HPE Community
Operating System - HP-UX
1831664 Members
2547 Online
110029 Solutions
New Discussion

Re: KRB5 error code 52

 
Andry Ramananantoandro
Occasional Contributor

‎12-01-2004 02:31 AM

‎12-01-2004 02:31 AM

KRB5 error code 52

Hello,

I am trying to use PAM Kerberos (V 1.11 on HP-UX 11.00) with Windows 2003.
The pamkrbval command is giving me a "KRB5 error code 52" when validating the host entry in keytab.
I've read that this error appears when the KDC is returning a large PAC using KDC. This I've read should only appear when a user belongs to a large amount of groups. The user mapped to the host only belongs to 1 group.

I know that there is a way to prevent W2K from sending the PAC information, but I would like to avoid it, since this configuration should not need that.

Does anyone knows a way ?


Note that I had already tested the communication between PAM Kerberos 1.10 and Windows 2003 in march, and it worked on the test servers. The 1.11 version of PAM Kerberos needs to be used in production because my servers have more than 32 network interfaces.



Result of pamkrbval -v :
___________

Validating the keytab entry for the host service principal
[LOG] : Host freo0071, aka freo0071.
[LOG] : The default keytab name is : /etc/krb5.keytab
[LOG] : Keytab file /etc/krb5.keytab is present
[LOG] : Permissions on /etc/krb5.keytab are correct.
Keytab entry
Principal: host
Host : freo0071
Realm : MYREALM.COM
Version : 3
[LOG] : Pinging KDC for keytab entry host/freo0071@MYREALM.COM
pamkrbval: KRB5 error code 52 for this entry
[LOG] : The keytab entry for the host service principal is not a valid one
[FAIL] : The keytab validation Failed
0 Kudos
Reply
3 REPLIES 3
Kent Ostby
Honored Contributor

‎12-01-2004 02:48 AM

‎12-01-2004 02:48 AM

Re: KRB5 error code 52

Andry .. I could not find any HP hits except for your previous ITRC thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=732811

This seems similar though a bit different to that.

Searching google for "KRB5 error code 52" also turned up many hits.

Is it possible that this has the same resolution as your previous ITRC post ?

Best regards,

Oz
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
0 Kudos
Reply
Andry Ramananantoandro
Occasional Contributor

‎12-01-2004 03:01 AM

‎12-01-2004 03:01 AM

Re: KRB5 error code 52

Thanks Oz.

A new version (1.11 as I said) was actually released by HP to "resolve" the question I had in my last post.
I applied the patch, and then I had this new error. Maybe it is linked, you are right.
But I wondered if anybody had already encountered that error.


>Searching google for "KRB5 error code 52" >also turned up many hits.

Indeed. Some of them talk preventing the PAC information from being sent by KDC but this can be very hard to maintain.
The other thing I found was the "user belonging to too many groups" case. But it is obviously not the case here.
0 Kudos
Reply
Ray Carlson
Frequent Advisor

‎12-02-2004 01:53 AM

‎12-02-2004 01:53 AM

Re: KRB5 error code 52

We have also seen the error 52, but mostly on the PCs. It was due to the user being in too many PC groups. (Note: they were only in 1 Unix group, but it was the group information from the PC side that made it too large.) On the PC client side we had to update to the latest MIT Kerberos. Additionally, we have been working with Microsoft for a fix at the KDC (PC Active Directory Server) end. Check out Microsoft Knowledge Base Article 832572 concerning the NO_AUTH_REQUIRED flag. We are running the fix on a test server, but have not put it into production yet.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.