Problems trying to authenticate Unix users via Active Directory

[Kevin Reardon]

You must have migrated from AD 2000 to AD 2003.  AD had to adjust with 
migration from many NT domains to one so it kept the legacy group ID's 
in the credentials even though there is now a concatenated group, just 
in case there was a server out there that has yet to migrate 
(SIDHistory).  I've seen the problem where the key was too large several 
times and it was always due to the migration not being completed.  Check 
out this MS article, it may apply to you.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;322970

---K


Bill Smith wrote:

>We have a Solaris 9 box configured to authenticate users via AD.  Everything 
>used to work fine but recently, AD authentication has failed for some users 
>but still works for others.  As part of the troubleshooting process, tried 
>running the kinit command for a user having problems and get the following 
>error
>
>kinit: KRB5 error code 52 while getting initial credentials
>
>>From what I've found, it seems to be an issue with the user being in too 
>many AD groups, the Windows KDC wanting to use TCP rather than UDP, and the 
>MIT version not supporting it.  What I'm not certain on is whether is the 
>version shipped with Solaris 9 is MIT-based or something proprietary to 
>Solaris.  I've found some mention of setting a registry key on the Windows 
>Domain controllers but have not been able to find anything specific.  I also 
>believe this issue cropped up after we began upgrading some of the domain 
>controllers to Windows 2003.
>
>At this point, we're still having the problem with no resolution.  Has 
>anyone else encountered this issue?  If so, is there a patch from SUN to 
>address it or did you have to do something else?  Would appreciate any 
>insight into this problem
>
>Thanks,
>
>Bill 
>
>
>________________________________________________
>Kerberos mailing list           Kerberos at mit.edu
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>