On Wed, Jul 04, 2007 at 05:56:56PM +0000, Ron Bass II wrote:
>
> I'm getting the following error on a Solaris 8 machine: kinit: KRB5
> error code 52 while getting initial credentials
>
> So far my analysis shows this error to indicate the following: 0x34 -
> KRB_ERR_RESPONSE_TOO_BIG - Too much data
>
> According to a number of forums, some inheriant limitations exist with
> the Solaris 8 version of Kerberos concerning the number of group
> memberships a user may have. In my Active Directory, each user is a
> member of possibly many groups. To confirm this, I created a simple
> user with only membership to "Domain Users" and was able to run kinit
> without issue. Also, I seen a number of forums reporting that the
> native version of Kerberos in Solaris 8 does not support TCP.
> Apparently by default, once the package size of a Kerberos ticket
> reaches a specified max, TCP should be used.

Support for TCP in Solaris Kerberos was introduced in Solaris 10.

> I have the following Kerberos packages loaded: SUNWk5pk kernel
> Kerberos V5 plug-in w/auth+privacy (32-bit) SUNWk5pkx kernel
> Kerberos V5 plug-in w/auth+privacy (64-bit) SUNWk5pu user
> Kerberos V5 gss mechanism w/auth+privacy (32-bit) SUNWk5pux user
> Kerberos V5 gss mechanism w/auth+privacy (64-bit)
>
> Are updated packages for Kerberos available for Solaris 8 environments
> that can handle support for Kerberos over TCP and having a large
> number of group memberships?

There are no Solaris 8 packages to provide Kerberos over TCP at this
point. If you have a customer service agreement you can make a request
through your Sun service rep. for TCP/Kerberos support in Solaris 8.
There is no guarantee that Sun will do this as there are costs to doing
this and this support is available in Solaris 10. In fact Solaris 10
has a number of Kerberos improvements that make interop with a MS AD
easier.

--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)