kinit fails against active directory 2003-sp2 when user has > ~35 groups

Todd Stecher tstecher at qwest.net
Mon Feb 5 14:06:18 EST 2007


On Feb 5, 2007, at 10:54 AM, Jeff Saxton wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am seeing kinit fail against M$ Active directory when the
> user has > ~35 group memberships. anyone else seen this?
>
> kinit(v5): ASN.1 encoding ended unexpectedly while getting initial  
> credentials
>
> when the number of group memberships are reduced to < 20 it works!

Sounds like a TCP  / UDP AS_REQ issue.  Are you running an old  
version of MIT kerberos?   This shouldn't be a problem in "new"  
versions (> 1.4.1, I believe).

You should also consider sharing out a tcpdump of the failure, if  
updating to a newer version doesn't fix things.


>
> - --
> Jeffrey Mark Saxton
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFx31tDyIrHU4I55kRAqoQAJ97Q0fP8AR/jQ/ly0LDn4o2Zh6EYQCeK8iJ
> 7gU9Y+6oNyRUdcFkFWN7c6U=
> =3N+0
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list