Pam kerberos vs. Kinit
Ethan Bearman
ebearman at usc.edu
Thu Mar 17 14:43:35 EST 2005
At 07:14 AM 3/17/2005, you wrote:
>Ethan Bearman wrote:
>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0
>>running on 9000 series system) to our Windows 2003 AD domain. It works
>>for certain admin accounts that have few group memberships, but not for
>>regular users.
>>I understand this to be due to the large PAC headers Windows is using for
>>authorization data, which causes Windows to use TCP rather than
>>UDP. Apparently versions of MIT kerberos earlier than 1.3.1 do not
>>support TCP.
I've just run another test and discovered that I can successfully log into
the host initially (via PAM kerberos library and SSH), and I don't get
error 52. I've got a ticket in my cache and everything. Kerb error 52
only occurs if I'm using kinit from the shell.
How could this be? I believe the PAM kerberos library that HP supplies is
based on Krb1.1, which I thought would not be able to communicate via TCP
to our W2k3 KDC's. Does anyone know why this is working through PAM, and
not at the shell?
Our users are not going to need to do kinit at the shell, but I just wonder
if ignorance is bliss, or if I'm going to encounter problems anyway with
this configuration.
Thanks.
Ethan Bearman
Systems Analyst
USCard Operations
University of Southern California
213.821.2287
213.740.7253 Fax
More information about the Kerberos
mailing list