kinit fails against active directory 2003-sp2 when user has > ~35 groups
Douglas E. Engert
deengert at anl.gov
Mon Feb 5 14:19:45 EST 2007
Jeff Saxton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am seeing kinit fail
Which kinit? MIT? Heimdal? What version?
> against M$ Active directory when the
> user has > ~35 group memberships. anyone else seen this?
The ticket contains the Microsoft PAC, i.e. user and group authz information.
The ticket can get quite large. Even Microsoft has set a limit
that gets bigger with each release.
Google for this: site:microsoft.com PAC size
Which will lead to among other things:
http://support.microsoft.com/kb/327825
http://support.microsoft.com/kb/832572
>
> kinit(v5): ASN.1 encoding ended unexpectedly while getting initial credentials
This sounds like an ASN.1 parser problem with a large PAC.
>
> when the number of group memberships are reduced to < 20 it works!
>
> - --
> Jeffrey Mark Saxton
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFx31tDyIrHU4I55kRAqoQAJ97Q0fP8AR/jQ/ly0LDn4o2Zh6EYQCeK8iJ
> 7gU9Y+6oNyRUdcFkFWN7c6U=
> =3N+0
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list