Problems trying to authenticate Unix users via Active Directory

Jonathan Stephens jonsteph at microsoft.com
Thu Aug 25 17:27:25 EDT 2005


The registry key you mention is likely MaxPacketSize:

244474 How to force Kerberos to use TCP instead of UDP in Windows Server
2003,
http://support.microsoft.com/?id=244474

The default MaxPacketSize for Windows did change from Windows 2000 (2000
bytes) to Windows Server 2003 (1465 bytes). If you encountered problems
immediately after upgrading, then you can set the MaxPacketSize in the
registry of your DCs to 2000 and reboot them. This could be considered a
workaround, as it becomes unnecessary if kinit behaves correctly in
response to error 0x34.

Here is some general information you may find useful for your
environment:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/a0bd7520-ef2d-4de4-b487-e105a9de9e4f.mspx

Jonathan Stephens [MS]
--
This posting is provided "AS IS" with no warranties, and confers no
rights.

-----Original Message-----
From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On
Behalf Of Bill Smith
Sent: Thursday, August 25, 2005 10:35 AM
To: kerberos at MIT.EDU
Subject: Problems trying to authenticate Unix users via Active Directory

We have a Solaris 9 box configured to authenticate users via AD.
Everything used to work fine but recently, AD authentication has failed
for some users but still works for others.  As part of the
troubleshooting process, tried running the kinit command for a user
having problems and get the following error

kinit: KRB5 error code 52 while getting initial credentials

>From what I've found, it seems to be an issue with the user being in 
>too
many AD groups, the Windows KDC wanting to use TCP rather than UDP, and
the MIT version not supporting it.  What I'm not certain on is whether
is the version shipped with Solaris 9 is MIT-based or something
proprietary to Solaris.  I've found some mention of setting a registry
key on the Windows Domain controllers but have not been able to find
anything specific.  I also believe this issue cropped up after we began
upgrading some of the domain controllers to Windows 2003.

At this point, we're still having the problem with no resolution.  Has
anyone else encountered this issue?  If so, is there a patch from SUN to
address it or did you have to do something else?  Would appreciate any
insight into this problem

Thanks,

Bill 


________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list