Skip Menu |
 

Date: Mon, 14 May 2007 16:38:17 -0700
To: krb5-bugs@mit.edu
Subject: Problem obtains Kerberos credentials from keytab using Microsoft AD as KDC
From: Paul.Gjefle@pnl.gov
Download (untitled) / with headers
text/plain 1.3KiB

Submitter-Id: net
Originator: Paul D Gjefle
Confidential: no
Synopsis: kinit using keytab fails when account belongs to large number of Microsoft AD groups
Severity: non-critical
Priority: medium
Category: krb5-clients
Class: sw-bug
Release: 1.6.1
Environment:
System: Linux xxx 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux
Architecture: i686

Description:
Our Linux/UNIX clients authenticate using Microsoft's AD (2003) as the Kerberos KDC. For the most
part this has been working great. We have run into a problem obtaining Kerberos credentials from
keytabs. If a Microsoft AD account belongs to a large number of AD groups, then obtaining
Kerberos credentials via a password stored in a keytab file fails. If that same user types in the
password interactively they are able to obtain their Kerberos credentials.

This works
%kinit account
Passsord for account@OUR.REALM

This doesn't work
1% ktutil
ktutil: addent -password -p account -k 1 -e des
Password for account@OUR.REALM:
ktutil: write_kt ./account.keytab
ktutil: quit

kinit -k -t ./account.keytab account
kinit(v5): Preauthentication failed while getting initial credentials

Our Microsoft AD accounts do not have preauthentication set. If we remove enough groups from the account
the user will eventually be able to authenticate using the keytab file. I am not sure what this limit is?