kinit fails against active directory 2003-sp2 when user has > ~35 groups

Douglas E. Engert deengert at anl.gov
Mon Feb 5 14:19:45 EST 2007



Jeff Saxton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I am seeing kinit fail 

Which kinit? MIT? Heimdal? What version?

> against M$ Active directory when the
> user has > ~35 group memberships. anyone else seen this?

The ticket contains the Microsoft PAC, i.e. user and group authz information.
The ticket can get quite large. Even Microsoft has set a limit
that gets bigger with each release.

Google for this: site:microsoft.com PAC size

Which will lead to among other things:

http://support.microsoft.com/kb/327825
http://support.microsoft.com/kb/832572

> 
> kinit(v5): ASN.1 encoding ended unexpectedly while getting initial credentials

This sounds like an ASN.1 parser problem with a large PAC.

> 
> when the number of group memberships are reduced to < 20 it works!

> 
> - --
> Jeffrey Mark Saxton
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFFx31tDyIrHU4I55kRAqoQAJ97Q0fP8AR/jQ/ly0LDn4o2Zh6EYQCeK8iJ
> 7gU9Y+6oNyRUdcFkFWN7c6U=
> =3N+0
> -----END PGP SIGNATURE-----
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list