Pam kerberos vs. Kinit

Douglas E. Engert deengert at anl.gov
Thu Mar 17 15:51:36 EST 2005 


Ethan Bearman wrote:

> At 07:14 AM 3/17/2005, you wrote:
> 
> 
>> Ethan Bearman wrote:
>>
>>> I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0 
>>> running on 9000 series system) to our Windows 2003 AD domain.  It 
>>> works for certain admin accounts that have few group memberships, but 
>>> not for regular users.
>>> I understand this to be due to the large PAC headers Windows is using 
>>> for authorization data, which causes Windows to use TCP rather than 
>>> UDP.  Apparently versions of MIT kerberos earlier than 1.3.1 do not 
>>> support TCP.
> 
> 
> I've just run another test and discovered that I can successfully log 
> into the host initially (via PAM kerberos library and SSH), and I don't 
> get error 52.  I've got a ticket in my cache and everything.  Kerb error 
> 52 only occurs if I'm using kinit from the shell.

You could be right on the cut over point, and maybe addressless vs with address
tickets keep the ticket just small enough.

A way to see what is going on would be to do a network trace of the traffic
to the host. Ethereal works well with Kerberos, and is claimed
to be available for HP, but I have not tried it on HP.
http://www.ethereal.com/download.html

> 
> How could this be?  I believe the PAM kerberos library that HP supplies 
> is based on Krb1.1, which I thought would not be able to communicate via 
> TCP to our W2k3 KDC's.  Does anyone know why this is working through 
> PAM, and not at the shell?
> 
> Our users are not going to need to do kinit at the shell, but I just 
> wonder if ignorance is bliss, or if I'm going to encounter problems 
> anyway with this configuration.
> 
> Thanks.
> 
> Ethan Bearman
> Systems Analyst
> USCard Operations
> University of Southern California
> 213.821.2287
> 213.740.7253 Fax
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list