On Sat, Dec 01, 2007 at 05:12:59AM -0800, Devendra Gogate wrote:
> Hi all,
>
> I have configured kerberos and LDAP client on a solaris 9 machine to authenticate my Acive Directory users, now the problem is that if the AD user is member of multiple groups, solaris machine do not allow the user to logon.
>
> does anyone face this issue? anyone has any idea?


I believe the problem is that the AD is using TCP for the transport of
Kerberos messages. Solaris Kerberos prior to Solaris 10 does not
support TCP (only UDP).

Two options to deal with this are:

1. Upgrade to Solaris 10 which has a version of Kerberos that supports
TCP.

2. Disable pre-authenticate in order to prevent the AD from sending the
large PAC segment which is causing the AD to use TCP. This can be
accomplished with the following:

Configuring Active Directory (AD) to Exclude PAC Segments

Versions of Solaris before Solaris 10 sometimes will not be able to read
TGTs sent by the AD server. This is because the default limit of a UDP
packet (57k for Solaris >= 10 and 8k for Solaris <= 9) is too small to
contain the PAC segment. This is prevalent in domains that have a large
number of groups. The issue is that versions of Kerberos before Solaris
10 do not support TCP, which is what the AD server would use to send the
response back to the client.

Typically the Solaris client would see the following error message when
the packet is too large (in this example, kinit):

% kinit
Password for username@EXAMPLE.COM:
kinit: KRB5 error code 52 while getting initial credentials

or when logging into the Solaris client machine, pam_krb5(5) may report
the following error message via syslog, for example:

solarisclient login: [ID 537602 auth.error] PAM-KRB5 (auth):
krb5_verify_init_creds failed: KRB5 error code 52

The PAC segment can be excluded on the AD side by disabling pre-authentication.
This can be accomplished with the following steps:

Right click over the intended user
Select "Properties"
Select the "Account" tab
Scroll down the "Account options" list
Then select the "Do not require Kerberos preauthentication" checkbox.

The disadvantage of turning preauthentication off is that the client's key is
more susceptible to off-line dictionary attacks.

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)