Nagios Authentication with Active Directory (Slightly Off-Topic)

Shawn Iverson shawn at nccsc.k12.in.us
Fri Jan 7 19:53:40 CET 2005

Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There's some info from comp.prototcols.kerberos (google groups, see below)

It sounds like you need to do the following to check your DNS kerberos configuration:

dig _kerberos._udp.REALMNAMEFQDN srv
dig _kerberos._tcp.REALMNAMEFQDN srv

It sounds like error 52 should only ever occur when the srv resource records for kerberos on your DNS server are set to allow only UDP authentication.  I presume that when you execute the latter command you might get an unexpected response.  If so, you need to fix your srv resource records on your DNS server to allow TCP.

BTW, are you using DNS from your Windows 2003 Servers or from another source?  Make sure you have only one kinit on your system.  If none of this is helpful, send me details about your version of kerberos that you are using, your OS, whether you installed it as a package or as source, etc.

Here is my DNS answer section for both (specifics removed):

;; QUESTION SECTION:
;_kerberos._tcp.MYREALM.	IN	SRV

;; ANSWER SECTION:
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.
_kerberos._tcp.MYREALM.	600 IN	SRV	0 100 88 XXXXXX.myrealm.

;; ADDITIONAL SECTION:
XXXXXX.myrealm. 3600	IN	A	x.x.x.x
XXXXXX.myrealm.	3600	IN	A	x.x.x.x

;; Query time: 1 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Fri Jan  7 13:34:47 2005
;; MSG SIZE  rcvd: 504


; <<>> DiG 9.2.4 <<>> _kerberos._udp.MYREALM srv
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;_kerberos._udp.myrealm.	IN	SRV

;; ANSWER SECTION:
_kerberos._udp.MYREALM.	600 IN	SRV	0 100 88 xxxxxxx.nccsc.k12.in.us.
_kerberos._udp.MYREALM.	600 IN	SRV	0 100 88 xxxxxxx.nccsc.k12.in.us.

Etc...

On Jun 10 2003, 5:02 pm Ken Raeburn on comp.protocols.kerberos wrote:
>
>
>Uli Schröder <uli.schroe... at gmx.net> writes:
>
>
>

<snip>


>> Nevertheless if I do a kinit for my my normal account it fails with
>> error code 52. No change between krb5-1.2.7 and krb5-1.3.
>
>
>Is it saying "KRB5 error code 52" exactly? That shouldn't be in the
>source code for the 1.3 snapshot. The error message is now "Response
>too big for UDP, retry with TCP", and shouldn't be displayed unless
>the server sends that error code over a TCP connection, or the client
>library thinks that TCP service isn't available for some reason, which
>should only happen if you have DNS SRV records that indicate only UDP
>service is available (try "dig _kerberos._udp.REALMNAME srv", and try
>with _tcp instead of _udp) and the config files don't list the KDCs at
>all.

On Jun 11 2003, 9:29 am Uli Schröder wrote on comp.protocols.kerberos: 

>"Ken Raeburn" <raeb... at mit.edu> schrieb im Newsbeitrag
>news:tx1of15se7f.fsf at mit.edu...
>
>> ... 
>> > Nevertheless if I do a kinit for my my normal account it fails with
>> > error code 52. No change between krb5-1.2.7 and krb5-1.3.
>
>> Is it saying "KRB5 error code 52" exactly? That shouldn't be in the
>> source code for the 1.3 snapshot. The error message is now "Response
>> too big for UDP, retry with TCP", and shouldn't be displayed unless
>> the server sends that error code over a TCP connection, or the client
>> library thinks that TCP service isn't available for some reason, which
>> should only happen if you have DNS SRV records that indicate only UDP
>> service is available (try "dig _kerberos._udp.REALMNAME srv", and try
>> with _tcp instead of _udp) and the config files don't list the KDCs at
>> all.
>
>
>
>I had another kinit in the my path. I wasn't aware of that. I thought I
>had deleted all the old stuff. Now the new kinit workes great. I can use
>kinit with my own account. No more error 52! :)
>

Shawn Iverson

On Friday, January 07, 2005 11:26 AM Dimitri wrote:

>kinit user at YOUR.DOMAIN.ORG returns:
>
>kinit(v5): KRB5 error code 52 while getting initial credentials
>
>Does this error have to do with Windows kerberos ?
>
>Sorry, I know this isn't a kerberos-related mailing list, but 
>if you could tell me what I'm doing wrong, it would be greatly 
>appreciated.  Googling doesn't produce anything useful.
>
>Dimitri
>
>


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null

Previous message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Next message: Nagios Authentication with Active Directory (Slightly Off-Topic)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users mailing list