AD integration (ticket size) question
Robbie Harwood
rharwood at redhat.com
Tue Nov 15 20:26:34 EST 2016
Jerry Shipman <jes59 at cornell.edu> writes:
> We have cross-realm authentication with an Active Directory
> installation. We run into occasional issues with the AD kerberos
> tickets being too large to fit into applications buffers, etc -- I
> guess because of all the group information in the PAC (i.e. users who
> are in a lot of AD groups have larger tickets).
>
> On my side of the integration, we're never using that PAC information
> anyway. Is there a way that I can get rid of that information, either
> on the KDC side or on the client side? I am thinking things like:
My understanding is very limited, but I know you can turn this off on
the AD-side using something like [1] on at least a per-server basis. I
don't have a machine to test with, unfortunately.
What applications are you seeing breakage with, NFS itself? I would've
expected most programs to not care about sizes (unless they become truly
excessive). If it's NFS itself, the article suggests that GSS-Proxy [2]
may alleviate some issues as well, though I haven't personally used it
with AD.
Thanks,
--Robbie
1: http://blog.evad.io/2014/11/04/kerberos-protected-nfs-with-active-directory-and-the-pac/
2: https://fedorahosted.org/gss-proxy/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20161115/95386007/attachment.bin
More information about the Kerberos
mailing list