Problems trying to authenticate Unix users via Active Directory

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems trying to authenticate Unix users via Active Directory

Smith, William E. (Bill), Jr.
We have a Solaris 9 box configured to authenticate users via AD.  Everything
used to work fine but recently, AD authentication has failed for some users
but still works for others.  As part of the troubleshooting process, tried
running the kinit command for a user having problems and get the following
error

kinit: KRB5 error code 52 while getting initial credentials

>From what I've found, it seems to be an issue with the user being in too
many AD groups, the Windows KDC wanting to use TCP rather than UDP, and the
MIT version not supporting it.  What I'm not certain on is whether is the
version shipped with Solaris 9 is MIT-based or something proprietary to
Solaris.  I've found some mention of setting a registry key on the Windows
Domain controllers but have not been able to find anything specific.  I also
believe this issue cropped up after we began upgrading some of the domain
controllers to Windows 2003.

At this point, we're still having the problem with no resolution.  Has
anyone else encountered this issue?  If so, is there a patch from SUN to
address it or did you have to do something else?  Would appreciate any
insight into this problem

Thanks,

Bill


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems trying to authenticate Unix users via Active Directory

Wachdorf, Daniel R
See

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/3872f0d7-e4b3-49ed-9a4b-1fefbf0d4547.mspx

http://support.microsoft.com/?kbid=832572

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bill Smith
Sent: Thursday, August 25, 2005 8:35 AM
To: [hidden email]
Subject: Problems trying to authenticate Unix users via Active Directory

We have a Solaris 9 box configured to authenticate users via AD.
Everything
used to work fine but recently, AD authentication has failed for some
users
but still works for others.  As part of the troubleshooting process,
tried
running the kinit command for a user having problems and get the
following
error

kinit: KRB5 error code 52 while getting initial credentials

>From what I've found, it seems to be an issue with the user being in
too
many AD groups, the Windows KDC wanting to use TCP rather than UDP, and
the
MIT version not supporting it.  What I'm not certain on is whether is
the
version shipped with Solaris 9 is MIT-based or something proprietary to
Solaris.  I've found some mention of setting a registry key on the
Windows
Domain controllers but have not been able to find anything specific.  I
also
believe this issue cropped up after we began upgrading some of the
domain
controllers to Windows 2003.

At this point, we're still having the problem with no resolution.  Has
anyone else encountered this issue?  If so, is there a patch from SUN to

address it or did you have to do something else?  Would appreciate any
insight into this problem

Thanks,

Bill


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems trying to authenticate Unix users via Active Directory

Jonathan Stephens
In reply to this post by Smith, William E. (Bill), Jr.
The registry key you mention is likely MaxPacketSize:

244474 How to force Kerberos to use TCP instead of UDP in Windows Server
2003,
http://support.microsoft.com/?id=244474

The default MaxPacketSize for Windows did change from Windows 2000 (2000
bytes) to Windows Server 2003 (1465 bytes). If you encountered problems
immediately after upgrading, then you can set the MaxPacketSize in the
registry of your DCs to 2000 and reboot them. This could be considered a
workaround, as it becomes unnecessary if kinit behaves correctly in
response to error 0x34.

Here is some general information you may find useful for your
environment:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/a0bd7520-ef2d-4de4-b487-e105a9de9e4f.mspx

Jonathan Stephens [MS]
--
This posting is provided "AS IS" with no warranties, and confers no
rights.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Bill Smith
Sent: Thursday, August 25, 2005 10:35 AM
To: [hidden email]
Subject: Problems trying to authenticate Unix users via Active Directory

We have a Solaris 9 box configured to authenticate users via AD.
Everything used to work fine but recently, AD authentication has failed
for some users but still works for others.  As part of the
troubleshooting process, tried running the kinit command for a user
having problems and get the following error

kinit: KRB5 error code 52 while getting initial credentials

>From what I've found, it seems to be an issue with the user being in
>too
many AD groups, the Windows KDC wanting to use TCP rather than UDP, and
the MIT version not supporting it.  What I'm not certain on is whether
is the version shipped with Solaris 9 is MIT-based or something
proprietary to Solaris.  I've found some mention of setting a registry
key on the Windows Domain controllers but have not been able to find
anything specific.  I also believe this issue cropped up after we began
upgrading some of the domain controllers to Windows 2003.

At this point, we're still having the problem with no resolution.  Has
anyone else encountered this issue?  If so, is there a patch from SUN to
address it or did you have to do something else?  Would appreciate any
insight into this problem

Thanks,

Bill


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems trying to authenticate Unix users via Active Directory

Kevin Reardon
In reply to this post by Smith, William E. (Bill), Jr.
You must have migrated from AD 2000 to AD 2003.  AD had to adjust with
migration from many NT domains to one so it kept the legacy group ID's
in the credentials even though there is now a concatenated group, just
in case there was a server out there that has yet to migrate
(SIDHistory).  I've seen the problem where the key was too large several
times and it was always due to the migration not being completed.  Check
out this MS article, it may apply to you.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;322970

---K


Bill Smith wrote:

>We have a Solaris 9 box configured to authenticate users via AD.  Everything
>used to work fine but recently, AD authentication has failed for some users
>but still works for others.  As part of the troubleshooting process, tried
>running the kinit command for a user having problems and get the following
>error
>
>kinit: KRB5 error code 52 while getting initial credentials
>
>>From what I've found, it seems to be an issue with the user being in too
>many AD groups, the Windows KDC wanting to use TCP rather than UDP, and the
>MIT version not supporting it.  What I'm not certain on is whether is the
>version shipped with Solaris 9 is MIT-based or something proprietary to
>Solaris.  I've found some mention of setting a registry key on the Windows
>Domain controllers but have not been able to find anything specific.  I also
>believe this issue cropped up after we began upgrading some of the domain
>controllers to Windows 2003.
>
>At this point, we're still having the problem with no resolution.  Has
>anyone else encountered this issue?  If so, is there a patch from SUN to
>address it or did you have to do something else?  Would appreciate any
>insight into this problem
>
>Thanks,
>
>Bill
>
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems trying to authenticate Unix users via Active Directory

Wyllys Ingersoll
In reply to this post by Smith, William E. (Bill), Jr.
Bill Smith wrote:

>>From what I've found, it seems to be an issue with the user being in too
>many AD groups, the Windows KDC wanting to use TCP rather than UDP, and the
>MIT version not supporting it.  What I'm not certain on is whether is the
>version shipped with Solaris 9 is MIT-based or something proprietary to
>Solaris.  I've found some mention of setting a registry key on the Windows ]
>  
>

The SEAM packages in Solaris are based on MIT, though they are not
identical, there are
some minor differences.    Solaris 9 SEAM does not have TCP support,
which is needed
to work with Windows 2003 server.   There are workarounds, as others
have pointed out.

>
>At this point, we're still having the problem with no resolution.  Has
>anyone else encountered this issue?  If so, is there a patch from SUN to
>address it or did you have to do something else?  Would appreciate any
>insight into this problem
>  
>

I'm not sure if we have a patch for Solaris 9, but I do know that
Solaris 10 has TCP support
and does not suffer the same problems as the Solaris 8 and 9 versions.

-Wyllys

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems trying to authenticate Unix users via Active Directory

Smith, William E. (Bill), Jr.
In reply to this post by Smith, William E. (Bill), Jr.
I did notice that things seem to work properly in Solaris 10 and figured
it must include TCP support. Modifying the user account property to not
require kerberos pre-authentication has worked but that has some
implications of its own.  I will investigate some of the other
suggestions though

Bill

-----Original Message-----
From: Wyllys Ingersoll [mailto:[hidden email]]
Sent: Monday, August 29, 2005 10:10 AM
To: Smith, William E. (Bill), Jr.
Cc: [hidden email]
Subject: Re: Problems trying to authenticate Unix users via Active
Directory

Bill Smith wrote:

>>From what I've found, it seems to be an issue with the user being in
>>too
>many AD groups, the Windows KDC wanting to use TCP rather than UDP, and

>the MIT version not supporting it.  What I'm not certain on is whether
>is the version shipped with Solaris 9 is MIT-based or something
>proprietary to Solaris.  I've found some mention of setting a registry
>key on the Windows ]
>  
>

The SEAM packages in Solaris are based on MIT, though they are not
identical, there are
some minor differences.    Solaris 9 SEAM does not have TCP support,
which is needed
to work with Windows 2003 server.   There are workarounds, as others
have pointed out.

>
>At this point, we're still having the problem with no resolution.  Has
>anyone else encountered this issue?  If so, is there a patch from SUN
>to address it or did you have to do something else?  Would appreciate
>any insight into this problem
>  
>

I'm not sure if we have a patch for Solaris 9, but I do know that
Solaris 10 has TCP support and does not suffer the same problems as the
Solaris 8 and 9 versions.

-Wyllys


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems trying to authenticate Unix users via Active Directory

Douglas E. Engert


Smith, William E. (Bill), Jr. wrote:

> I did notice that things seem to work properly in Solaris 10 and figured
> it must include TCP support. Modifying the user account property to not
> require kerberos pre-authentication has worked but that has some
> implications of its own.

The Solaris 10 should support the pre-auth. It works for us. Why did
you think you had to turn it off?

With Solaris 5, 6, 7, 8, 9 we use/used the MIT kerberos.


  I will investigate some of the other

> suggestions though
>
> Bill
>
> -----Original Message-----
> From: Wyllys Ingersoll [mailto:[hidden email]]
> Sent: Monday, August 29, 2005 10:10 AM
> To: Smith, William E. (Bill), Jr.
> Cc: [hidden email]
> Subject: Re: Problems trying to authenticate Unix users via Active
> Directory
>
> Bill Smith wrote:
>
>
>>>From what I've found, it seems to be an issue with the user being in
>>
>>>too
>>
>>many AD groups, the Windows KDC wanting to use TCP rather than UDP, and
>
>
>>the MIT version not supporting it.  What I'm not certain on is whether
>>is the version shipped with Solaris 9 is MIT-based or something
>>proprietary to Solaris.  I've found some mention of setting a registry
>>key on the Windows ]
>>
>>
>
>
> The SEAM packages in Solaris are based on MIT, though they are not
> identical, there are
> some minor differences.    Solaris 9 SEAM does not have TCP support,
> which is needed
> to work with Windows 2003 server.   There are workarounds, as others
> have pointed out.
>
>
>>At this point, we're still having the problem with no resolution.  Has
>>anyone else encountered this issue?  If so, is there a patch from SUN
>>to address it or did you have to do something else?  Would appreciate
>>any insight into this problem
>>
>>
>
>
> I'm not sure if we have a patch for Solaris 9, but I do know that
> Solaris 10 has TCP support and does not suffer the same problems as the
> Solaris 8 and 9 versions.
>
> -Wyllys
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems trying to authenticate Unix users via Active Directory

Smith, William E. (Bill), Jr.
In reply to this post by Smith, William E. (Bill), Jr.
Sorry, guess I was not clear.  I had the "Do not required Kerberos
pre-authentication" box checked for my AD user account and I was able to
login into a Solaris 9 box using my AD credentials.  With it unchecked,
logins failed again.  I can login to a Solaris 10 system using my AD
credentials without any problems with that box unchecked.  It is only
when trying to authenticate against a Solaris 9 server (using SUN's
Kerberos distribution) that the problem crops up.

- Bill

-----Original Message-----
From: Douglas E. Engert [mailto:[hidden email]]
Sent: Monday, August 29, 2005 3:20 PM
To: Smith, William E. (Bill), Jr.
Cc: Wyllys Ingersoll; [hidden email]
Subject: Re: Problems trying to authenticate Unix users via Active
Directory



Smith, William E. (Bill), Jr. wrote:

> I did notice that things seem to work properly in Solaris 10 and
> figured it must include TCP support. Modifying the user account
> property to not require kerberos pre-authentication has worked but
> that has some implications of its own.

The Solaris 10 should support the pre-auth. It works for us. Why did you
think you had to turn it off?

With Solaris 5, 6, 7, 8, 9 we use/used the MIT kerberos.


  I will investigate some of the other

> suggestions though
>
> Bill
>
> -----Original Message-----
> From: Wyllys Ingersoll [mailto:[hidden email]]
> Sent: Monday, August 29, 2005 10:10 AM
> To: Smith, William E. (Bill), Jr.
> Cc: [hidden email]
> Subject: Re: Problems trying to authenticate Unix users via Active
> Directory
>
> Bill Smith wrote:
>
>
>>>From what I've found, it seems to be an issue with the user being in
>>
>>>too
>>
>>many AD groups, the Windows KDC wanting to use TCP rather than UDP,
>>and
>
>
>>the MIT version not supporting it.  What I'm not certain on is whether

>>is the version shipped with Solaris 9 is MIT-based or something
>>proprietary to Solaris.  I've found some mention of setting a registry

>>key on the Windows ]
>>
>>
>
>
> The SEAM packages in Solaris are based on MIT, though they are not
> identical, there are
> some minor differences.    Solaris 9 SEAM does not have TCP support,
> which is needed
> to work with Windows 2003 server.   There are workarounds, as others
> have pointed out.
>
>
>>At this point, we're still having the problem with no resolution.  Has

>>anyone else encountered this issue?  If so, is there a patch from SUN
>>to address it or did you have to do something else?  Would appreciate
>>any insight into this problem
>>
>>
>
>
> I'm not sure if we have a patch for Solaris 9, but I do know that
> Solaris 10 has TCP support and does not suffer the same problems as
> the Solaris 8 and 9 versions.
>
> -Wyllys
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos