Date: | Mon, 14 May 2007 16:38:17 -0700 |
To: | krb5-bugs@mit.edu |
Subject: | Problem obtains Kerberos credentials from keytab using Microsoft AD as KDC |
From: | Paul.Gjefle@pnl.gov |
Submitter-Id: net
Originator: Paul D Gjefle
Confidential: no
Synopsis: kinit using keytab fails when account belongs to large number of Microsoft AD groups
Severity: non-critical
Priority: medium
Category: krb5-clients
Class: sw-bug
Release: 1.6.1
Environment:
System: Linux xxx 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT 2007 i686 i686 i386 GNU/Linux
Architecture: i686
Description:
Our Linux/UNIX clients authenticate using Microsoft's AD (2003) as the Kerberos KDC. For the most
part this has been working great. We have run into a problem obtaining Kerberos credentials from
keytabs. If a Microsoft AD account belongs to a large number of AD groups, then obtaining
Kerberos credentials via a password stored in a keytab file fails. If that same user types in the
password interactively they are able to obtain their Kerberos credentials.
This works
%kinit account
Passsord for account@OUR.REALM
This doesn't work
1% ktutil
ktutil: addent -password -p account -k 1 -e des
Password for account@OUR.REALM:
ktutil: write_kt ./account.keytab
ktutil: quit
kinit -k -t ./account.keytab account
kinit(v5): Preauthentication failed while getting initial credentials
Our Microsoft AD accounts do not have preauthentication set. If we remove enough groups from the account
the user will eventually be able to authenticate using the keytab file. I am not sure what this limit is?