You must have migrated from AD 2000 to AD 2003. AD had to adjust with
migration from many NT domains to one so it kept the legacy group ID's
in the credentials even though there is now a concatenated group, just
in case there was a server out there that has yet to migrate
(SIDHistory). I've seen the problem where the key was too large several
times and it was always due to the migration not being completed. Check
out this MS article, it may apply to you.
http://support.microsoft.com/default.aspx?scid=kb;en-us;322970
---K
Bill Smith wrote:
We have a Solaris 9 box configured to authenticate users via AD. Everything
used to work fine but recently, AD authentication has failed for some users
but still works for others. As part of the troubleshooting process, tried
running the kinit command for a user having problems and get the following
error
kinit: KRB5 error code 52 while getting initial credentials
From what I've found, it seems to be an issue with the user being in too
many AD groups, the Windows KDC wanting to use TCP rather than UDP, and the
MIT version not supporting it. What I'm not certain on is whether is the
version shipped with Solaris 9 is MIT-based or something proprietary to
Solaris. I've found some mention of setting a registry key on the Windows
Domain controllers but have not been able to find anything specific. I also
believe this issue cropped up after we began upgrading some of the domain
controllers to Windows 2003.
At this point, we're still having the problem with no resolution. Has
anyone else encountered this issue? If so, is there a patch from SUN to
address it or did you have to do something else? Would appreciate any
insight into this problem
Thanks,
Bill
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
