Received error from KDC: -1765328332/Response too big for UDP, retry with TCP

1 users found this article helpful

Symptoms

First, see How to analyze the log files to identify single-sign on (SSO) issues .

Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:

2022-04-20 07:35:58.452945 awingu awingu-worker-smc.service[manage.py:2067]: Process-1:3 processing cdsessions.tasks.refresh_sso_certificate [triple-jersey-carolina-white]
2022-04-20 07:35:58.480647 awingu awingu-worker-smc.service[python3:992]: Generating a RSA private key
2022-04-20 07:35:58.574126 awingu awingu-worker-smc.service[python3:992]: ...................................................+++++
2022-04-20 07:35:58.715677 awingu awingu-worker-smc.service[python3:992]: ......................................................................................................+++++
2022-04-20 07:35:58.715875 awingu awingu-worker-smc.service[python3:992]: writing new private key to 'private_key.pem'
2022-04-20 07:35:58.715993 awingu awingu-worker-smc.service[python3:992]: -----
2022-04-20 07:35:58.782389 awingu awingu-worker-smc.service[python3:992]: writing RSA key
2022-04-20 07:36:14.926654 awingu awingu-worker-smc.service[manage.py:2067]:
2022-04-20 07:36:14.927186 awingu awingu-worker-smc.service[manage.py:2067]: Using specified cache: /etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/kerberos/kerberos_credentials_cache
Using principal: someuser\@somedomain.org@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/certificate.pem,/etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/private_key.pem
[21480] 1650440158.788887: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[21480] 1650440158.788889: Sending unauthenticated request
[21480] 1650440158.788890: Sending request (211 bytes) to SOMEDOMAIN.ORG
[21480] 1650440158.788891: Resolving hostname somedc.somedomain.org
[21480] 1650440158.788892: Sending initial UDP request to dgram 10.1.2.3:88
[21480] 1650440158.788893: Received answer (205 bytes) from dgram 10.1.2.3:88
[21480] 1650440158.788894: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[21480] 1650440158.788895: No URI records found
[21480] 1650440158.788896: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[21480] 1650440158.788897: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440158.788898: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[21480] 1650440158.788899: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440158.788900: Response was not from master KDC
[21480] 1650440158.788901: Received error from KDC: -1765328359/Additional pre-authentication required
[21480] 1650440158.788904: Preauthenticating using KDC method data
[21480] 1650440158.788905: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[21480] 1650440158.788906: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[21480] 1650440158.788907: PKINIT loading CA certs and CRLs from FILE
[21480] 1650440158.788908: PKINIT client computed kdc-req-body checksum 9/E806B715A04F29B42806750A1ABFD6CF386E0C48
[21480] 1650440158.788910: PKINIT client making DH request
[21480] 1650440158.788911: Preauth module pkinit (16) (real) returned: 0/Success
[21480] 1650440158.788912: Produced preauth for next request: PA-PK-AS-REQ (16)
[21480] 1650440158.788913: Sending request (4965 bytes) to SOMEDOMAIN.ORG
[21480] 1650440158.788914: Resolving hostname somedc.somedomain.org
[21480] 1650440158.788915: Initiating TCP connection to stream 10.1.2.3:88
[21480] 1650440159.864943: Sending initial UDP request to dgram 10.1.2.3:88
[21480] 1650440159.864944: Received answer (106 bytes) from dgram 10.1.2.3:88
[21480] 1650440159.864945: Terminating TCP connection to stream 10.1.2.3:88
[21480] 1650440159.864946: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[21480] 1650440159.864947: No URI records found
[21480] 1650440159.864948: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[21480] 1650440159.864949: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440159.864950: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[21480] 1650440159.864951: SRV answer: 0 0 88 "somedc.somedomain.org."
[21480] 1650440159.864952: Response was not from master KDC
[21480] 1650440159.864953: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[21480] 1650440159.864954: Request or response is too big for UDP; retrying with TCP
[21480] 1650440159.864955: Sending request (4965 bytes) to SOMEDOMAIN.ORG (tcp only)
[21480] 1650440159.864956: Resolving hostname somedc.somedomain.org
[21480] 1650440159.864957: Initiating TCP connection to stream 10.1.2.3:88
[21480] 1650440174.925076: Terminating TCP connection to stream 10.1.2.3:88
kinit: Cannot contact any KDC for realm 'SOMEDOMAIN.ORG' while getting initial credentials

Cause

The appliance is unable to connect one or more of the specified Kerberos Domain Controller(s).

Resolution

Was this article helpful?

Tell us how we can improve it.