Otdfbt

Multi tool use

Does the EU Common Fisheries Policy cover British Overseas Territories?

You look catfish vs You look like a catfish

Binary Numbers Magic Trick

What is the range of this combined function?

Modify locally tikzset

Why do Ichisongas hate elephants and hippos?

Illegal assignment from SObject to Contact

Electric guitar: why such heavy pots?

Single Colour Mastermind Problem

If Earth is tilted, why is Polaris always above the same spot?

Was it really necessary for the Lunar Module to have 2 stages?

What's the polite way to say "I need to urinate"?

Does jamais mean always or never in this context?

"ne paelici suspectaretur" (Tacitus)

Where does the labelling of extrinsic semiconductors as "n" and "p" come from?

Why is the origin of “threshold” uncertain?

Why does nature favour the Laplacian?

Why does Bran Stark feel that Jon Snow "needs to know" about his lineage?

How to creep the reader out with what seems like a normal person?

Sci-fi novel series with instant travel between planets through gates. A river runs through the gates

What are the spoon bit of a spoon and fork bit of a fork called?

Weird result in complex limit

When and why did journal article titles become descriptive, rather than creatively allusive?

Feels like I am getting dragged in office politics

Kerberos - TCP client wants 1195725856 bytes, cap is 1048572

Creating keytabs and service principal namesAuthenticate with Kerberos to a CIFS share provided by OpenSolarisAuthenticating Windows 7 against MIT Kerberos 5Linking Linux MIT Kerberos with a Windows 2003 Active DirectoryActive Directory: Thunderbird LDAP autocompletion not working with Kerberos authnginx emerg error with type_hashIs this Kerberos/AD setup possible?Kerberos SSH/PAM login like ADKerberos MaxTokenSizewindows-ubuntu-bash + hypervisor winrm + ansible - Server not found in Kerberos database

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

1

I'm having some difficulties debugging this error. I'm running nginx as an api gateway built to make a sub-request to kerberos whenever an endpoint gets called using the SPNEGO method. But whenever I attempt to make a requests with TGS ticket in the header I get the error TCP client 192.168.112.4.51658 wants 1195725856 bytes, cap is 1048572 then the connection closes.

I've tried printf "xffxffxffxff" | netcat krb_address 88 and it triggers the above error and if an instance of xff is removed then no error.

What I'm struggling with figuring out is:

1. What exactly is the message being sent to kerberos that is breaking the cap constraint?


2. What kind of configuration changes need to be made to meet the cap requirement?

I've never worked with nginx and kerberos before so not sure of any better questions I could be asking other then the basics.

Some insight into previous experience with this error or perhaps some additional techniques I could use to uncover some more insights into what is causing the error would be very much appreciated!

nginx tcp kerberos spnego

share|improve this question

asked Apr 21 at 18:30

KenpachiKenpachi

62

add a comment | 

1

1

I'm having some difficulties debugging this error. I'm running nginx as an api gateway built to make a sub-request to kerberos whenever an endpoint gets called using the SPNEGO method. But whenever I attempt to make a requests with TGS ticket in the header I get the error TCP client 192.168.112.4.51658 wants 1195725856 bytes, cap is 1048572 then the connection closes.

I've tried printf "xffxffxffxff" | netcat krb_address 88 and it triggers the above error and if an instance of xff is removed then no error.

What I'm struggling with figuring out is:

1. What exactly is the message being sent to kerberos that is breaking the cap constraint?


2. What kind of configuration changes need to be made to meet the cap requirement?

I've never worked with nginx and kerberos before so not sure of any better questions I could be asking other then the basics.

Some insight into previous experience with this error or perhaps some additional techniques I could use to uncover some more insights into what is causing the error would be very much appreciated!

nginx tcp kerberos spnego

share|improve this question

asked Apr 21 at 18:30

KenpachiKenpachi

62

add a comment | 

I'm having some difficulties debugging this error. I'm running nginx as an api gateway built to make a sub-request to kerberos whenever an endpoint gets called using the SPNEGO method. But whenever I attempt to make a requests with TGS ticket in the header I get the error TCP client 192.168.112.4.51658 wants 1195725856 bytes, cap is 1048572 then the connection closes.

I've tried printf "xffxffxffxff" | netcat krb_address 88 and it triggers the above error and if an instance of xff is removed then no error.

What I'm struggling with figuring out is:

1. What exactly is the message being sent to kerberos that is breaking the cap constraint?


2. What kind of configuration changes need to be made to meet the cap requirement?

I've never worked with nginx and kerberos before so not sure of any better questions I could be asking other then the basics.

Some insight into previous experience with this error or perhaps some additional techniques I could use to uncover some more insights into what is causing the error would be very much appreciated!

nginx tcp kerberos spnego

share|improve this question

asked Apr 21 at 18:30

KenpachiKenpachi

62

share|improve this question

asked Apr 21 at 18:30

KenpachiKenpachi

62

share|improve this question

asked Apr 21 at 18:30

KenpachiKenpachi

62

asked Apr 21 at 18:30

KenpachiKenpachi

62

asked Apr 21 at 18:30

KenpachiKenpachi

62

1 Answer
1

active

oldest

votes

1

That's a protocol mismatch; at some point you're sending an HTTP request when the Kerberos server is expecting something else.

The giveaway here is the number shown in the error, 1195725856. Converted to hexadecimal, that's 47 45 54 20. Converted to ASCII, it is G, E, T, space, or the first four characters of an HTTP GET request. That is unlikely to be a coincindence.

I'm not very familiar with Kerberos, but a little research suggests that one possible cause is that you may have left out the --enable-http option to the kdc service?

share|improve this answer

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963989%2fkerberos-tcp-client-wants-1195725856-bytes-cap-is-1048572%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

That's a protocol mismatch; at some point you're sending an HTTP request when the Kerberos server is expecting something else.

The giveaway here is the number shown in the error, 1195725856. Converted to hexadecimal, that's 47 45 54 20. Converted to ASCII, it is G, E, T, space, or the first four characters of an HTTP GET request. That is unlikely to be a coincindence.

I'm not very familiar with Kerberos, but a little research suggests that one possible cause is that you may have left out the --enable-http option to the kdc service?

share|improve this answer

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040

add a comment | 

1

That's a protocol mismatch; at some point you're sending an HTTP request when the Kerberos server is expecting something else.

The giveaway here is the number shown in the error, 1195725856. Converted to hexadecimal, that's 47 45 54 20. Converted to ASCII, it is G, E, T, space, or the first four characters of an HTTP GET request. That is unlikely to be a coincindence.

I'm not very familiar with Kerberos, but a little research suggests that one possible cause is that you may have left out the --enable-http option to the kdc service?

share|improve this answer

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040

add a comment | 

That's a protocol mismatch; at some point you're sending an HTTP request when the Kerberos server is expecting something else.

The giveaway here is the number shown in the error, 1195725856. Converted to hexadecimal, that's 47 45 54 20. Converted to ASCII, it is G, E, T, space, or the first four characters of an HTTP GET request. That is unlikely to be a coincindence.

I'm not very familiar with Kerberos, but a little research suggests that one possible cause is that you may have left out the --enable-http option to the kdc service?

share|improve this answer

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040

share|improve this answer

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040

answered Apr 22 at 23:46

Harry JohnstonHarry Johnston

3,97012040