Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id l4F0TuL8007027; Mon, 14 May 2007 20:29:56 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l4F0Tpq5022030; Mon, 14 May 2007 20:29:51 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l4ENcS57014654 for ; Mon, 14 May 2007 19:38:29 -0400 Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id l4ENcNMu020909 for ; Mon, 14 May 2007 19:38:27 -0400 (EDT) Received: from emailgw01.pnl.gov (emailgw01.pnl.gov [192.101.109.33]) by mit.edu (Spam Firewall) with ESMTP id AA8EC28FD1C for ; Mon, 14 May 2007 19:38:22 -0400 (EDT) Received: from odyssey.emsl.pnl.gov ([130.20.248.51]) by emailgw01.pnl.gov with ESMTP; 14 May 2007 16:38:21 -0700 X-Possible-Spoof: True X-Ironport-Av: i="4.14,533,1170662400"; d="scan'208"; a="31607190:sNHT27095306" Received: from dew.pnl.gov (dew.pnl.gov [130.20.104.85]) by odyssey.emsl.pnl.gov (8.13.8/8.13.8) with ESMTP id l4ENcKX3006649 for ; Mon, 14 May 2007 16:38:21 -0700 (PDT) Received: (from pgjefle@localhost) by dew.pnl.gov (8.13.1/8.12.11) id l4ENcHAq013424; Mon, 14 May 2007 16:38:17 -0700 Date: Mon, 14 May 2007 16:38:17 -0700 Message-ID: <200705142338.l4ENcHAq013424@dew.pnl.gov> To: krb5-bugs@mit.edu Subject: Problem obtains Kerberos credentials from keytab using Microsoft AD as KDC From: Paul.Gjefle@pnl.gov X-Send-PR-Version: 3.99 X-Spam-Score: 0.776 X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Mon, 14 May 2007 20:29:50 -0400 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: Paul.Gjefle@pnl.gov Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU X-RT-Original-Encoding: iso-8859-1 Content-Length: 1419 Submitter-Id: net Originator: Paul D Gjefle Confidential: no Synopsis: kinit using keytab fails when account belongs to large number of Microsoft AD groups Severity: non-critical Priority: medium Category: krb5-clients Class: sw-bug Release: 1.6.1 Environment: System: Linux xxx 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux Architecture: i686 Description: Our Linux/UNIX clients authenticate using Microsoft's AD (2003) as the Kerberos KDC. For the most part this has been working great. We have run into a problem obtaining Kerberos credentials from keytabs. If a Microsoft AD account belongs to a large number of AD groups, then obtaining Kerberos credentials via a password stored in a keytab file fails. If that same user types in the password interactively they are able to obtain their Kerberos credentials. This works %kinit account Passsord for account@OUR.REALM This doesn't work 1% ktutil ktutil: addent -password -p account -k 1 -e des Password for account@OUR.REALM: ktutil: write_kt ./account.keytab ktutil: quit kinit -k -t ./account.keytab account kinit(v5): Preauthentication failed while getting initial credentials Our Microsoft AD accounts do not have preauthentication set. If we remove enough groups from the account the user will eventually be able to authenticate using the keytab file. I am not sure what this limit is?