SUMMARY: Problems authenticating users via AD with Kerberos on Solaris 9
From: Smith, William E. (Bill), Jr. (Bill.Smith_at_jhuapl.edu)
Date: 08/25/05
- Previous message: Arunkumar Arumugam: "lcokstat delegation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 25 Aug 2005 14:34:20 -0400 To: <sunmanagers@sunmanagers.org>
Thanks to everyone who sent in their suggestions. Unfortunately, while
they did not resolve the problem, they did help get me pointed further
in the right direction and to a resolution. The issue at hand is that a
change occurred with Windows 2003 such that if a user is in too many
groups, that the Windows KDC wants to use TCP while the remote end does
not support it. As such, the authentication attempt fails. As noted in
the following KP Article, http://support.microsoft.com/?kbid=832572, the
issue was resolved in Windows 2003 SP1 or with a patch provided from MS.
With the patch or SP1 intact, enabling the "Do not require kerberos
preauthentication" box on a user's account resolves the problem. What
is still not clear and something that I need dig into deeper is what the
impact of this change is beyond resolving the problem originally noted.
- Bill
-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Smith, William
E. (Bill), Jr.
Sent: Monday, August 22, 2005 10:08 AM
To: sunmanagers@sunmanagers.org
Subject: Update: Problems authenticating users via AD with Kerberos on
Solaris 9
At this time, the problem is still not resolved. I received a few
responses suggesting I check the clock between the server and domain
controllers. As far as I can tell, everything looks fine there.
Another response indicating that if a user is in too many groups, that
the Windows KC requests that the client use TCP rather than UDP for the
ticket. However, since MIT does not implement TCP, the request fails.
There may be a registry key to set on the Windows side that controls how
large the packet can be before TCP is used. So far, I haven't been able
to find any reference to said key. If someone knows anything about this
key or can provide any further insight, it would be much appreciated.
For reference purposes, I am getting the following error when trying to
run kinit using my Active Directory username/password, which is where
the UDP vs TCP issue comes into play.
kinit: KRB5 error code 52 while getting initial credentials
- Bill
-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Smith, William
E. (Bill), Jr.
Sent: Wednesday, August 17, 2005 9:37 AM
To: sunmanagers@sunmanagers.org
Subject: Problems authenticating users via AD with Kerberos on Solaris 9
We have a Solaris 9 server that we configured to authenticate users via
Active Directory using Kerberos. Things worked when we first set things
up but recently for whatever reason(s), Kerberos authentication does not
seem to work as I continue to get failed login attempts every time I or
other users use their AD password. I've been trying to figure out
what's going on for days to no avail so posting here hoping someone can
shed some light. Here's a snippet of the pam.conf. The uncommented
entries are the only ones uncommented in the file. Any other reference
to pam_krb5.so.1 is commented out.
# Default definitions for Authentication management # Used when service
name is not explicitly mentioned for authenctication #
#other auth requisite pam_authtok_get.so.1
#other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
Nothing has changed with regard to the Kerberos configuration (as far as
I know and can tell) but something is obviously amiss.
Any insight or suggestions here would be appreciated.
Bill Smith
<mailto:bill.smith@jhuapl.edu>
ISS Server Systems Group
Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins
Road Laurel, MD 20723
Phone: 443-778-5523
Web: http://www.jhuapl.edu
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
- Previous message: Arunkumar Arumugam: "lcokstat delegation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
