kinit fails against active directory 2003-sp2 when user has > ~35 groups

Jeff Saxton jeff.saxton at sensage.com
Mon Feb 5 17:27:51 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks everyone :)upgrading to a less ancient version of MIT K5 fixed it.
Apparently RedHat ships 1.2 :-O



Douglas E. Engert wrote:
> 
> 
> Jeff Saxton wrote:
> I am seeing kinit fail 
> 
>> Which kinit? MIT? Heimdal? What version?
> 
> against M$ Active directory when the
> user has > ~35 group memberships. anyone else seen this?
> 
>> The ticket contains the Microsoft PAC, i.e. user and group authz
>> information.
>> The ticket can get quite large. Even Microsoft has set a limit
>> that gets bigger with each release.
> 
>> Google for this: site:microsoft.com PAC size
> 
>> Which will lead to among other things:
> 
>> http://support.microsoft.com/kb/327825
>> http://support.microsoft.com/kb/832572
> 
> 
> kinit(v5): ASN.1 encoding ended unexpectedly while getting initial
> credentials
> 
>> This sounds like an ASN.1 parser problem with a large PAC.
> 
> 
> when the number of group memberships are reduced to < 20 it works!
> 
> 
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>

- --
Lord Jeffrey Mark Saxton
Sr. Technical Support Engineer
SenSage, Inc.
55 Hawthorne Street Suite 700
San Francisco, CA 94105
Phone:  415.808.5900
Fax:    415.371.1385
Direct: 415-808-5921
Cell:   650-235-0776
mailto:support at sensage.com
mailto:jeff.saxton at sensage.com
Enterprise Security Analytics

SenSage, the leading provider of enterprise security analytics, offers
unparalleled performance and a scalable means for organizations to centrally
aggregate, efficiently analyze, dynamically monitor and cost-effectively
store massive volumes of event log data.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFx69mDyIrHU4I55kRAreUAKCZaqGT7MjlalT90c17pfTWLLnMowCeMHIT
962rdJ6Ye0n2yuMOwz7twTo=
=F9MP
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list