Pam kerberos vs. Kinit

Ethan Bearman ebearman at usc.edu
Fri Mar 18 14:49:12 EST 2005 

You're right - it was right on the cutover - if I add enough groups to the 
account, I cannot login via ssh with it, nor can I use kinit.

I have had success - finally - getting krb5-1.4 to compile.  How do I get 
source code to compile a pam kerberos library based on kerberos 1.3.5 or later?

Thanks.

At 12:51 PM 3/17/2005, you wrote:


>Ethan Bearman wrote:
>
>>At 07:14 AM 3/17/2005, you wrote:
>>
>>>Ethan Bearman wrote:
>>>
>>>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0 
>>>>running on 9000 series system) to our Windows 2003 AD domain.  It works 
>>>>for certain admin accounts that have few group memberships, but not for 
>>>>regular users.
>>>>I understand this to be due to the large PAC headers Windows is using 
>>>>for authorization data, which causes Windows to use TCP rather than 
>>>>UDP.  Apparently versions of MIT kerberos earlier than 1.3.1 do not 
>>>>support TCP.
>>
>>I've just run another test and discovered that I can successfully log 
>>into the host initially (via PAM kerberos library and SSH), and I don't 
>>get error 52.  I've got a ticket in my cache and everything.  Kerb error 
>>52 only occurs if I'm using kinit from the shell.
>
>You could be right on the cut over point, and maybe addressless vs with 
>address
>tickets keep the ticket just small enough.
>
>A way to see what is going on would be to do a network trace of the traffic
>to the host. Ethereal works well with Kerberos, and is claimed
>to be available for HP, but I have not tried it on HP.
>http://www.ethereal.com/download.html
>
>>How could this be?  I believe the PAM kerberos library that HP supplies 
>>is based on Krb1.1, which I thought would not be able to communicate via 
>>TCP to our W2k3 KDC's.  Does anyone know why this is working through PAM, 
>>and not at the shell?
>>Our users are not going to need to do kinit at the shell, but I just 
>>wonder if ignorance is bliss, or if I'm going to encounter problems 
>>anyway with this configuration.
>>Thanks.
>>Ethan Bearman
>>Systems Analyst
>>USCard Operations
>>University of Southern California
>>213.821.2287
>>213.740.7253 Fax
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>--
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444

Ethan Bearman
Systems Analyst
USCard Operations
University of Southern California
213.821.2287
213.740.7253 Fax

More information about the Kerberos mailing list