Pam kerberos vs. Kinit

Ethan Bearman ebearman at
Fri Mar 18 14:49:12 EST 2005

You're right - it was right on the cutover - if I add enough groups to the 
account, I cannot login via ssh with it, nor can I use kinit.

I have had success - finally - getting krb5-1.4 to compile.  How do I get 
source code to compile a pam kerberos library based on kerberos 1.3.5 or later?


At 12:51 PM 3/17/2005, you wrote:

>Ethan Bearman wrote:
>>At 07:14 AM 3/17/2005, you wrote:
>>>Ethan Bearman wrote:
>>>>I'm getting kerberos error 52 when I try to kinit from hp-ux (11.0 
>>>>running on 9000 series system) to our Windows 2003 AD domain.  It works 
>>>>for certain admin accounts that have few group memberships, but not for 
>>>>regular users.
>>>>I understand this to be due to the large PAC headers Windows is using 
>>>>for authorization data, which causes Windows to use TCP rather than 
>>>>UDP.  Apparently versions of MIT kerberos earlier than 1.3.1 do not 
>>>>support TCP.
>>I've just run another test and discovered that I can successfully log 
>>into the host initially (via PAM kerberos library and SSH), and I don't 
>>get error 52.  I've got a ticket in my cache and everything.  Kerb error 
>>52 only occurs if I'm using kinit from the shell.
>You could be right on the cut over point, and maybe addressless vs with 
>tickets keep the ticket just small enough.
>A way to see what is going on would be to do a network trace of the traffic
>to the host. Ethereal works well with Kerberos, and is claimed
>to be available for HP, but I have not tried it on HP.
>>How could this be?  I believe the PAM kerberos library that HP supplies 
>>is based on Krb1.1, which I thought would not be able to communicate via 
>>TCP to our W2k3 KDC's.  Does anyone know why this is working through PAM, 
>>and not at the shell?
>>Our users are not going to need to do kinit at the shell, but I just 
>>wonder if ignorance is bliss, or if I'm going to encounter problems 
>>anyway with this configuration.
>>Ethan Bearman
>>Systems Analyst
>>USCard Operations
>>University of Southern California
>>213.740.7253 Fax
>>Kerberos mailing list           Kerberos at
>  Douglas E. Engert  <DEEngert at>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444

Ethan Bearman
Systems Analyst
USCard Operations
University of Southern California
213.740.7253 Fax  

More information about the Kerberos mailing list