kerberos and LDAP on Solaris9

Will Fiveash William.Fiveash at sun.com
Tue Dec 4 15:00:52 EST 2007 

On Sat, Dec 01, 2007 at 05:12:59AM -0800, Devendra Gogate wrote:
> Hi all,
> 
> I have configured kerberos and LDAP client on a solaris 9 machine to authenticate my Acive Directory users, now the problem is that if the AD user is member of multiple groups, solaris machine do not allow the user to logon.
> 
> does anyone face this issue? anyone has any idea?

I believe the problem is that the AD is using TCP for the transport of
Kerberos messages.  Solaris Kerberos prior to Solaris 10 does not
support TCP (only UDP).

Two options to deal with this are:

1. Upgrade to Solaris 10 which has a version of Kerberos that supports
   TCP.  

2. Disable pre-authenticate in order to prevent the AD from sending the
   large PAC segment which is causing the AD to use TCP.  This can be
   accomplished with the following:

    Configuring Active Directory (AD) to Exclude PAC Segments

    Versions of Solaris before Solaris 10 sometimes will not be able to read
    TGTs sent by the AD server.  This is because the default limit of a UDP
    packet (57k for Solaris >= 10 and 8k for Solaris <= 9) is too small to
    contain the PAC segment.  This is prevalent in domains that have a large
    number of groups.  The issue is that versions of Kerberos before Solaris
    10 do not support TCP, which is what the AD server would use to send the
    response back to the client.

    Typically the Solaris client would see the following error message when
    the packet is too large (in this example, kinit):

       % kinit
       Password for username at EXAMPLE.COM:
       kinit: KRB5 error code 52 while getting initial credentials

    or when logging into the Solaris client machine, pam_krb5(5) may report
    the following error message via syslog, for example:

       solarisclient login: [ID 537602 auth.error] PAM-KRB5 (auth):
           krb5_verify_init_creds failed: KRB5 error code 52

    The PAC segment can be excluded on the AD side by disabling pre-authentication.
    This can be accomplished with the following steps:

        Right click over the intended user
        Select "Properties"
        Select the "Account" tab
        Scroll down the "Account options" list
        Then select the "Do not require Kerberos preauthentication" checkbox.

    The disadvantage of turning preauthentication off is that the client's key is
    more susceptible to off-line dictionary attacks.

-- 
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the Kerberos mailing list