On Mon, Jun 24, 2002 at 11:20:22PM +1200, Allister Maguire wrote: > Hello,
> We are using FreeRadius 0.5 with LDAP (ActiveDirectory) Authorization > and Kerberos V (Windows 2k KDC) for authenication, problem we have found > is that pam fails if username is longer than 9 characters. This is the > error message that is displayed: > pam_pass: function pam_acct_mgmt FAILED for <allistermaguire>. Reason: > Is this a bug? Can it be fixed? This is a bug in the kerberos libraries: the krb5_kuserok() function, used to authorize Kerberos principals as local accounts, uses a ten-byte-long buffer to store principal names for comparison (9 chars + NUL). I've already reported the bug upstream to MIT, and I understand it's included in their CVS tree, though I don't know if the fix has made it into a release yet. Since you're using rlm_pam rather than rlm_krb5, you may be able to get by with replacing pam_krb5 in the 'acct' block with pam_permit. HTH, Steve Langasek postmodern programmer
msg06633/pgp00000.pgp
Description: PGP signature
