[krbdev.mit.edu #5559] Problem obtains Kerberos credentials from keytab using Microsoft AD as KDC
Paul.Gjefle@pnl.gov via RT
rt-comment at krbdev.mit.edu
Mon May 14 20:30:05 EDT 2007
Submitter-Id: net
Originator: Paul D Gjefle
Confidential: no
Synopsis: kinit using keytab fails when account belongs to large number of Microsoft AD groups
Severity: non-critical
Priority: medium
Category: krb5-clients
Class: sw-bug
Release: 1.6.1
Environment:
System: Linux xxx 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux
Architecture: i686
Description:
Our Linux/UNIX clients authenticate using Microsoft's AD (2003) as the Kerberos KDC. For the most
part this has been working great. We have run into a problem obtaining Kerberos credentials from
keytabs. If a Microsoft AD account belongs to a large number of AD groups, then obtaining
Kerberos credentials via a password stored in a keytab file fails. If that same user types in the
password interactively they are able to obtain their Kerberos credentials.
This works
%kinit account
Passsord for account at OUR.REALM
This doesn't work
1% ktutil
ktutil: addent -password -p account -k 1 -e des
Password for account at OUR.REALM:
ktutil: write_kt ./account.keytab
ktutil: quit
kinit -k -t ./account.keytab account
kinit(v5): Preauthentication failed while getting initial credentials
Our Microsoft AD accounts do not have preauthentication set. If we remove enough groups from the account
the user will eventually be able to authenticate using the keytab file. I am not sure what this limit is?
More information about the krb5-bugs
mailing list