Kerberos 5 1.2 does not include support for contacting KDCs using TCP.
This causes Kerberos error 52 (KRB_ERR_RESPONSE_TOO_BIG) in response
to a client KRB_AS_REQ or KRB_TGS_REQ requests to be passed back to
applications, which can do nothing about them. The frequency of this
occurrence appears to be dependent on the number of groups to which
the user belongs.
Version-Release number of selected component (if applicable):
Always, depending on the client principal.
Steps to Reproduce:
1. Configure Kerberos with a realm served by an AD KDC.
2. Attempt to run "kinit" as a user who is in many groups, such as
Instead of an KRB_AS_REP reply or KRB_ERROR requesting
preauthentication, the client will receive a KRB_ERROR with error code
"kinit" should run to completion, obtaining a TGT.
Kerberos 5 1.3 implements TCP support for both clients and KDCs,
though TCP support in KDCs is not a factor here (and is in fact
disabled by default in those releases).
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life.
Please See https://access.redhat.com/support/policy/updates/errata/
If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.