Kerberos - TCP client wants 1195725856 bytes, cap is 1048572

Question

I'm having some difficulties debugging this error. I'm running nginx as an api gateway built to make a sub-request to kerberos whenever an endpoint gets called using the SPNEGO method. But whenever I attempt to make a requests with TGS ticket in the header I get the error TCP client 192.168.112.4.51658 wants 1195725856 bytes, cap is 1048572 then the connection closes.

I've tried printf "\xff\xff\xff\xff" | netcat krb_address 88 and it triggers the above error and if an instance of \xff is removed then no error.

What I'm struggling with figuring out is:

1. What exactly is the message being sent to kerberos that is breaking the cap constraint?
2. What kind of configuration changes need to be made to meet the cap requirement?

I've never worked with nginx and kerberos before so not sure of any better questions I could be asking other then the basics.

Some insight into previous experience with this error or perhaps some additional techniques I could use to uncover some more insights into what is causing the error would be very much appreciated!

Answer 1

That's a protocol mismatch; at some point you're sending an HTTP request when the Kerberos server is expecting something else.

The giveaway here is the number shown in the error, 1195725856. Converted to hexadecimal, that's 47 45 54 20. Converted to ASCII, it is G, E, T, space, or the first four characters of an HTTP GET request. That is unlikely to be a coincindence.

I'm not very familiar with Kerberos, but a little research suggests that one possible cause is that you may have left out the --enable-http option to the kdc service?