kinit fails against active directory 2003-sp2 when user has > ~35 groups
Jeff Saxton
jeff.saxton at sensage.com
Mon Feb 5 17:27:51 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks everyone :)upgrading to a less ancient version of MIT K5 fixed it.
Apparently RedHat ships 1.2 :-O
Douglas E. Engert wrote:
>
>
> Jeff Saxton wrote:
> I am seeing kinit fail
>
>> Which kinit? MIT? Heimdal? What version?
>
> against M$ Active directory when the
> user has > ~35 group memberships. anyone else seen this?
>
>> The ticket contains the Microsoft PAC, i.e. user and group authz
>> information.
>> The ticket can get quite large. Even Microsoft has set a limit
>> that gets bigger with each release.
>
>> Google for this: site:microsoft.com PAC size
>
>> Which will lead to among other things:
>
>> http://support.microsoft.com/kb/327825
>> http://support.microsoft.com/kb/832572
>
>
> kinit(v5): ASN.1 encoding ended unexpectedly while getting initial
> credentials
>
>> This sounds like an ASN.1 parser problem with a large PAC.
>
>
> when the number of group memberships are reduced to < 20 it works!
>
>
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
- --
Lord Jeffrey Mark Saxton
Sr. Technical Support Engineer
SenSage, Inc.
55 Hawthorne Street Suite 700
San Francisco, CA 94105
Phone: 415.808.5900
Fax: 415.371.1385
Direct: 415-808-5921
Cell: 650-235-0776
mailto:support at sensage.com
mailto:jeff.saxton at sensage.com
Enterprise Security Analytics
SenSage, the leading provider of enterprise security analytics, offers
unparalleled performance and a scalable means for organizations to centrally
aggregate, efficiently analyze, dynamically monitor and cost-effectively
store massive volumes of event log data.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFx69mDyIrHU4I55kRAreUAKCZaqGT7MjlalT90c17pfTWLLnMowCeMHIT
962rdJ6Ye0n2yuMOwz7twTo=
=F9MP
-----END PGP SIGNATURE-----
More information about the Kerberos
mailing list