Error code 52 is the error returned by AD indicating your UDP packet was
too big, and thus it wants to do TCP. Windows puts the PAC in the
ticket to provide extra authentication information.

Older versions of Kerberos don't support TCP, and thus don't know what
to do.

-dan

-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
Behalf Of Haskins, Russell
Sent: Wednesday, June 29, 2005 3:56 PM
To: kerberos@mit.edu
Subject: MIT Kerberos 1.4.1, Solaris 8, & AD SSO

I am trying to get Single-Sing-On working with the *NIX boxes on our
campus network. The Windows AD is controlled by our outsourced IT group
so we can't drive any requirements on it. I have my Redhat Enterprise
Linux boxes authenticating correctly to the AD domain. However I've hit
the wall with Solaris 8 (we have a mix of Solaris, I started with 8).

I compiled and installed MIT Kerberos 1.4.1 on a new Solaris 8 2/04
system. I configured the /etc/krb5.conf for the AD domain and kinit
returns a ticket (works as root or unprivileged user).

I configured /etc/pam.conf for kerberos:

# PAM configuration
#
# This file is configured to try pam_unix first, then pam_krb5
#
# Authentication management
#
other auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other auth required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#
# Account management
#
# pam_krb5 has a no-op account module, so we don't bother listing it
here
#
other account requisite /usr/lib/security/$ISA/pam_roles.so.1
other account required /usr/lib/security/$ISA/pam_projects.so.1
other account required /usr/lib/security/$ISA/pam_unix.so.1
#
# Session management
#
# pam_krb5 destroys any credential cache on session close, so it's good
# to have it here. However, we also need pam_unix to be called, so
don't
# make pam_krb5 "sufficient".
#
other session optional /usr/lib/security/$ISA/pam_krb5.so.1
other session required /usr/lib/security/$ISA/pam_unix.so.1
#
# Password management
#
# You may have to fiddle with this if you have other account databases.
# If you have some centralized user management tool that users use to
# change their password then you may just want to remove the pam_krb5
# here.
#
other password sufficient /usr/lib/security/$ISA/pam_unix.so.1
other password required /usr/lib/security/$ISA/pam_krb5.so.1
use_first_pass
#

I created a Solaris account for the principal (first.last), made sure
there was no shadow file entry for the account, then tried to login
using the principal name and kerberos passwd.

Login incorrect

I added logging to the pam.conf configuration and these are the messages
in /var/adm/messages:

Jun 29 14:44:27 rupfert login: [ID 264565 auth.debug] PAM-KRB5: auth:
pam_sm_authenticate flags = 0
Jun 29 14:44:27 rupfert login: [ID 405806 auth.debug] PAM-KRB5:
attempt_krb5_login: start: user='First.Last', uid=10526
Jun 29 14:44:27 rupfert login: [ID 730853 auth.debug] PAM-KRB5: auth:
krb5_login: tkt_with_pw returns: KRB5 error code 52
Jun 29 14:44:27 rupfert login: [ID 410402 auth.debug] PAM-KRB5:
attempt_krb5_login returning 9
Jun 29 14:44:27 rupfert login: [ID 892699 auth.debug] PAM-KRB5:
pam_sm_auth finalize ccname env, result = 9, env =
'KRB5CCNAME=FILE:/tmp/krb5cc_10526', age = 0, status = 9
Jun 29 14:44:27 rupfert login: [ID 753808 auth.debug] PAM-KRB5: sm_auth:
returning 9
Jun 29 14:44:35 rupfert login: [ID 174864 auth.debug] PAM-KRB5:
krb5_cleanup pam_sm_auth_status(9)

Any ideas would be greatly appreciated.

Russ...

________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos