Received error from KDC: -1765328332/Response too big for UDP, retry with TCP (duplicate)

0 users found this article helpful

Symptoms

First, see How to analyze the log files to identify single-sign on (SSO) issues .

Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:

Using specified cache: /etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/kerberos/kerberos_credentials_cache
Using principal: someuser\@somedomain.org@SOMEDOMAIN.ORG
PA Option X509_user_identity = FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/private_key.pem
[3734] 1646988007.867344: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG
[3734] 1646988007.867346: Sending unauthenticated request
[3734] 1646988007.867347: Sending request (245 bytes) to SOMEDOMAIN.ORG
[3734] 1646988007.867348: Resolving hostname somehost.somedomain.org
[3734] 1646988007.867349: Sending initial UDP request to dgram 10.1.2.3:88
[3734] 1646988007.867350: Received answer (232 bytes) from dgram 10.1.2.3:88
[3734] 1646988007.867351: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[3734] 1646988007.867352: No URI records found
[3734] 1646988007.867353: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[3734] 1646988007.867354: SRV answer: 0 100 88 "somehost.somedomain.org."
[3734] 1646988007.867355: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[3734] 1646988007.867356: Response was not from master KDC
[3734] 1646988007.867357: Received error from KDC: -1765328359/Additional pre-authentication required
[3734] 1646988007.867360: Preauthenticating using KDC method data
[3734] 1646988007.867361: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
[3734] 1646988007.867362: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params ""
[3734] 1646988007.867363: PKINIT loading CA certs and CRLs from FILE
[3734] 1646988007.867364: PKINIT client computed kdc-req-body checksum 9/AD393606386E83639F001105318E20FF703365A8
[3734] 1646988007.867366: PKINIT client making DH request
[3734] 1646988007.867367: Preauth module pkinit (16) (real) returned: 0/Success
[3734] 1646988007.867368: Produced preauth for next request: PA-PK-AS-REQ (16)
[3734] 1646988007.867369: Sending request (7252 bytes) to SOMEDOMAIN.ORG
[3734] 1646988007.867370: Resolving hostname somehost.somedomain.org
[3734] 1646988007.867371: Initiating TCP connection to stream 10.1.2.3:88
[3734] 1646988007.867372: Sending TCP request to stream 10.1.2.3:88
[3734] 1646988017.917766: Sending initial UDP request to dgram 10.1.2.3:88
[3734] 1646988017.917767: Received answer (122 bytes) from dgram 10.1.2.3:88
[3734] 1646988017.917768: Terminating TCP connection to stream 10.1.2.3:88
[3734] 1646988017.917769: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG.
[3734] 1646988017.917770: No URI records found
[3734] 1646988017.917771: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG.
[3734] 1646988017.917772: SRV answer: 0 100 88 "somehost.somedomain.org."
[3734] 1646988017.917773: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG.
[3734] 1646988017.917774: Response was not from master KDC
[3734] 1646988017.917775: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3734] 1646988017.917776: Request or response is too big for UDP; retrying with TCP
[3734] 1646988017.917777: Sending request (7252 bytes) to SOMEDOMAIN.ORG (tcp only)
[3734] 1646988017.917778: Resolving hostname somehost.somedomain.org
[3734] 1646988017.917779: Initiating TCP connection to stream 10.1.2.3:88
[3734] 1646988017.917780: Sending TCP request to stream 10.1.2.3:88
 
2022-03-11 08:40:27.879492 SOMEAWINGUHOST awingu-worker-smc.service[manage.py:29226]: Task cdsessions.tasks.refresh_sso_certificate failed
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/django_q/cluster.py", line 448, in worker
    res = f(*task["args"], **task["kwargs"])
  File "/usr/lib/python3/dist-packages/awingucore/cdsessions/tasks.py", line 234, in refresh_sso_certificate
    return _refresh_sso_certificate(domain, upn, rah_token, new_password)
  File "/usr/lib/python3/dist-packages/awingucore/cdsessions/tasks.py", line 392, in _refresh_sso_certificate
    timeout=LDAP_TIMEOUT)
  File "/usr/lib/python3.6/subprocess.py", line 863, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.6/subprocess.py", line 1535, in _communicate
    self._check_timeout(endtime, orig_timeout)
  File "/usr/lib/python3.6/subprocess.py", line 891, in _check_timeout
    raise TimeoutExpired(self.args, orig_timeout)
subprocess.TimeoutExpired: Command '['/opt/krb5-1.17/bin/kinit', '-V', '-X', 'X509_user_identity=FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/private_key.pem', '-c', '/etc/awingu/domains/AWINGUDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/kerberos/kerberos_credentials_cache', '-E', 'someuser@somedomain.org@SOMEDOMAIN.ORG']' timed out after 20 seconds
2022-03-11 08:40:27.896735 SOMEAWINGUHOST awingu-worker-smc.service[manage.py:1763]: Failed [carolina-music-lake-asparagus] - Command '['/opt/krb5-1.17/bin/kinit', '-V', '-X', 'X509_user_identity=FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/private_key.pem', '-c', '/etc/awingu/domains/WORKSPACEDOMAIN/ec335bd4-3dbf-45ef-af5f-2d14eca7069a/kerberos/kerberos_credentials_cache', '-E', 'someuser@somedomain.org@SOMEDOMAIN.ORG']' timed out after 20 seconds

 

Cause

There is an issue with the UDP communication.

Resolution

Some of the reported solutions:

Was this article helpful?

Tell us how we can improve it.