Solaris 8 and windows 2k active directory problems.
dmc
D.M.Chapman at ukc.ac.uk
Sun Aug 24 06:48:22 EDT 2003
We are currently looking for a short term fix for one of our solaris imap
servers to be able to authenticate against our existing windows2k domain.
Several people advised that kerberos and pam_krb5 would be the easiest and
initial tests proved positive but...
it seems that a small number of our test users cannot log in :-(
Initially I thought this was a problem with pam on solaris but it seems not
as kinit is also failing.
I get:
% kinit testaccnt
% kinit testaccnt
Password for testaccnt at AD.KENT.AC.UK:
%
% klist
Ticket cache: /tmp/krb5cc_20616
Default principal: testaccnt at AD.KENT.AC.UK
Valid starting Expires Service principal
Sun 24 Aug 2003 11:37:01 BST Sun 24 Aug 2003 19:37:01 BST krbtgt/AD.KENT.AC.UK at AD.KENT.AC.UK
renew until Sun 24 Aug 2003 12:37:01 BST
%
and it works fine. imapd also seems to be working for my test account (and
most other users). If however one of our test users tries this he gets:
% kinit testaccnt2
Password for testaccnt2 at AD.KENT.AC.UK:
Segmentation Fault (core dumped)
%
nothing obvious different with the accounts in active directory - both have
been created in the same way. On another account that had the same problem
as password reset seens to have cured it. Nothing but alphanumeric chars in
the passwords before or after...
It doesn't matter what password kinit is given - it cores dumps for certain
users whatever. Looking at the output from truss you can see it connect to
a domain controller (kdc) and then fall over with the first data that it
sent to it! :
connect(4, 0x00026520, 16, 1) = 0
send(4, " j81AE 081ABA103020105A2".., 177, 0) = 177
poll(0xFFBEF218, 1, 1000) = 1
recv(4, " ~818A 08187A003020105A1".., 4096, 0) = 141
close(4) = 0
Incurred fault #6, FLTBOUNDS %pc = 0xFF34FC28
siginfo: SIGSEGV SEGV_MAPERR addr=0x00000004
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x00000004
*** process killed ***
Any clues? Is this a known issue? I have seen suggestions that installing
another pam lib may help but most of the ones that I have found seem to be
for linux and want MIT kerberos installed. A lot of work for a short term
fix :-(
Its so annoying as it works fine for most users.
Darren
BTW, forcing everyone to reset their passwords isn't an option! :-)
More information about the Kerberos
mailing list