Thanks to everyone who sent in their suggestions. Unfortunately, while they did not resolve the problem, they did help get me pointed further in the right direction and to a resolution. The issue at hand is that a change occurred with Windows 2003 such that if a user is in too many groups, that the Windows KDC wants to use TCP while the remote end does not support it. As such, the authentication attempt fails. As noted in the following KP Article, http://support.microsoft.com/?kbid=832572, the issue was resolved in Windows 2003 SP1 or with a patch provided from MS. With the patch or SP1 intact, enabling the "Do not require kerberos preauthentication" box on a user's account resolves the problem. What is still not clear and something that I need dig into deeper is what the impact of this change is beyond resolving the problem originally noted. - Bill -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Smith, William E. (Bill), Jr. Sent: Monday, August 22, 2005 10:08 AM To: sunmanagers@sunmanagers.org Subject: Update: Problems authenticating users via AD with Kerberos on Solaris 9 At this time, the problem is still not resolved. I received a few responses suggesting I check the clock between the server and domain controllers. As far as I can tell, everything looks fine there. Another response indicating that if a user is in too many groups, that the Windows KC requests that the client use TCP rather than UDP for the ticket. However, since MIT does not implement TCP, the request fails. There may be a registry key to set on the Windows side that controls how large the packet can be before TCP is used. So far, I haven't been able to find any reference to said key. If someone knows anything about this key or can provide any further insight, it would be much appreciated. For reference purposes, I am getting the following error when trying to run kinit using my Active Directory username/password, which is where the UDP vs TCP issue comes into play. kinit: KRB5 error code 52 while getting initial credentials - Bill -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Smith, William E. (Bill), Jr. Sent: Wednesday, August 17, 2005 9:37 AM To: sunmanagers@sunmanagers.org Subject: Problems authenticating users via AD with Kerberos on Solaris 9 We have a Solaris 9 server that we configured to authenticate users via Active Directory using Kerberos. Things worked when we first set things up but recently for whatever reason(s), Kerberos authentication does not seem to work as I continue to get failed login attempts every time I or other users use their AD password. I've been trying to figure out what's going on for days to no avail so posting here hoping someone can shed some light. Here's a snippet of the pam.conf. The uncommented entries are the only ones uncommented in the file. Any other reference to pam_krb5.so.1 is commented out. # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # #other auth requisite pam_authtok_get.so.1 #other auth required pam_dhkeys.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 Nothing has changed with regard to the Kerberos configuration (as far as I know and can tell) but something is obviously amiss. Any insight or suggestions here would be appreciated. Bill Smith <mailto:bill.smith@jhuapl.edu> ISS Server Systems Group Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Road Laurel, MD 20723 Phone: 443-778-5523 Web: http://www.jhuapl.edu _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Aug 25 14:34:57 2005
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:51 EST