Problems trying to authenticate Unix users via Active Directory

Smith, William E. (Bill), Jr. Bill.Smith at jhuapl.edu
Mon Aug 29 15:24:41 EDT 2005


Sorry, guess I was not clear.  I had the "Do not required Kerberos
pre-authentication" box checked for my AD user account and I was able to
login into a Solaris 9 box using my AD credentials.  With it unchecked,
logins failed again.  I can login to a Solaris 10 system using my AD
credentials without any problems with that box unchecked.  It is only
when trying to authenticate against a Solaris 9 server (using SUN's
Kerberos distribution) that the problem crops up.

- Bill

-----Original Message-----
From: Douglas E. Engert [mailto:deengert at anl.gov] 
Sent: Monday, August 29, 2005 3:20 PM
To: Smith, William E. (Bill), Jr.
Cc: Wyllys Ingersoll; kerberos at mit.edu
Subject: Re: Problems trying to authenticate Unix users via Active
Directory



Smith, William E. (Bill), Jr. wrote:

> I did notice that things seem to work properly in Solaris 10 and 
> figured it must include TCP support. Modifying the user account 
> property to not require kerberos pre-authentication has worked but 
> that has some implications of its own.

The Solaris 10 should support the pre-auth. It works for us. Why did you
think you had to turn it off?

With Solaris 5, 6, 7, 8, 9 we use/used the MIT kerberos.


  I will investigate some of the other
> suggestions though
> 
> Bill
> 
> -----Original Message-----
> From: Wyllys Ingersoll [mailto:wyllys.ingersoll at sun.com]
> Sent: Monday, August 29, 2005 10:10 AM
> To: Smith, William E. (Bill), Jr.
> Cc: kerberos at mit.edu
> Subject: Re: Problems trying to authenticate Unix users via Active 
> Directory
> 
> Bill Smith wrote:
> 
> 
>>>From what I've found, it seems to be an issue with the user being in
>>
>>>too
>>
>>many AD groups, the Windows KDC wanting to use TCP rather than UDP, 
>>and
> 
> 
>>the MIT version not supporting it.  What I'm not certain on is whether

>>is the version shipped with Solaris 9 is MIT-based or something 
>>proprietary to Solaris.  I've found some mention of setting a registry

>>key on the Windows ]
>> 
>>
> 
> 
> The SEAM packages in Solaris are based on MIT, though they are not 
> identical, there are
> some minor differences.    Solaris 9 SEAM does not have TCP support, 
> which is needed
> to work with Windows 2003 server.   There are workarounds, as others 
> have pointed out.
> 
> 
>>At this point, we're still having the problem with no resolution.  Has

>>anyone else encountered this issue?  If so, is there a patch from SUN 
>>to address it or did you have to do something else?  Would appreciate 
>>any insight into this problem
>> 
>>
> 
> 
> I'm not sure if we have a patch for Solaris 9, but I do know that 
> Solaris 10 has TCP support and does not suffer the same problems as 
> the Solaris 8 and 9 versions.
> 
> -Wyllys
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list