[37777] in Kerberos
Re: AD integration (ticket size) question
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Tue Nov 15 20:26:57 2016
From: Robbie Harwood <rharwood@redhat.com>
To: Jerry Shipman <jes59@cornell.edu>
In-Reply-To: <9EB49546-030E-4AE5-BE78-9048F0983B59@cornell.edu>
Date: Tue, 15 Nov 2016 20:26:34 -0500
Message-ID: <jlgzil02p11.fsf@thriss.redhat.com>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============5473285856786101823=="
Errors-To: kerberos-bounces@mit.edu
--===============5473285856786101823==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Jerry Shipman <jes59@cornell.edu> writes:
> We have cross-realm authentication with an Active Directory
> installation. We run into occasional issues with the AD kerberos
> tickets being too large to fit into applications buffers, etc -- I
> guess because of all the group information in the PAC (i.e. users who
> are in a lot of AD groups have larger tickets).
>
> On my side of the integration, we're never using that PAC information
> anyway. Is there a way that I can get rid of that information, either
> on the KDC side or on the client side? I am thinking things like:
My understanding is very limited, but I know you can turn this off on
the AD-side using something like [1] on at least a per-server basis. I
don't have a machine to test with, unfortunately.
What applications are you seeing breakage with, NFS itself? I would've
expected most programs to not care about sizes (unless they become truly
excessive). If it's NFS itself, the article suggests that GSS-Proxy [2]
may alleviate some issues as well, though I haven't personally used it
with AD.
Thanks,
--Robbie
1: http://blog.evad.io/2014/11/04/kerberos-protected-nfs-with-active-directory-and-the-pac/
2: https://fedorahosted.org/gss-proxy/
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIbBAEBCAAGBQJYK7XKAAoJECUy+RdqlaRCaD0P93c4jJZj4Ybr6na0mDwonkwC
sGrWzhsiDH/R6tKB5XmFddKhC/7klbwU4Ozn7R92i8vI1jv8uc530AToJbkdu262
aFKuJY2XLQ6QBnO+/gWblWU7Bk2qV9KifTmyvQDdCgnq+q9/ASxA7By4gqGzfjpI
iHXUP3RGTO5YL6YAKgHcD1KzKJI3ZdxiUNaV7jjORYbxaYoyP9V31Z+kmn1WuPZT
Mgixy1MpTRFA12IDmIXAvQCBOH5VV3FLa4XzRgCHJnKdlRbfcAVoZjv9krPeNu48
eyELR4tmy/WzZPXSxyAdGtEu7YyrSP9drpiRby2BRnCqmk9Zpfwv4OMu+KX2MtxH
Y/t01F0srLztxQiNE7g/sqCb+apUyWEItJpkXD7oF+ENngPwk2+aOAqAIAmwEbyH
72IJ1chF2oYwy0XDB+B3nZUwM+orw9MbGJNs2j6Bw1o6VgE75GGyQAeE9idXkGIS
l6tDqSD4zMnRuiN0v0tWQpfNoZRdz1Mj8vtCZfB3/TSswLXjQ9CT/Sc6g03SIcvy
7PPbzpi5KVmaj6ebuQSxij6MYwnb93zlNMbub+uZpLM9byYKI7MDhv2hd9KrI7eY
uHztPEvUduQC4JnyuKSRcdq5WDldO08LW6HtxDIH8ukMSEaGWprrgVCzhLzgC5ZJ
uhVUl9pL2yxxhI5TGnU=
=FuCy
-----END PGP SIGNATURE-----
--=-=-=--
--===============5473285856786101823==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============5473285856786101823==--
