Kerberos 5 1.2 does not include support for contacting KDCs using TCP. This causes Kerberos error 52 (KRB_ERR_RESPONSE_TOO_BIG) in response to a client KRB_AS_REQ or KRB_TGS_REQ requests to be passed back to applications, which can do nothing about them. The frequency of this occurrence appears to be dependent on the number of groups to which the user belongs. Version-Release number of selected component (if applicable): 1.2.7-27 How reproducible: Always, depending on the client principal. Steps to Reproduce: 1. Configure Kerberos with a realm served by an AD KDC. 2. Attempt to run "kinit" as a user who is in many groups, such as "Administrator". Actual results: Instead of an KRB_AS_REP reply or KRB_ERROR requesting preauthentication, the client will receive a KRB_ERROR with error code 52 (KRB_ERR_RESPONSE_TOO_BIG). Expected results: "kinit" should run to completion, obtaining a TGT. Additional info: Kerberos 5 1.3 implements TCP support for both clients and KDCs, though TCP support in KDCs is not a factor here (and is in fact disabled by default in those releases).
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. Please See https://access.redhat.com/support/policy/updates/errata/ If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.