Jerry Shipman <je...@cornell.edu> writes: > We have cross-realm authentication with an Active Directory > installation. We run into occasional issues with the AD kerberos > tickets being too large to fit into applications buffers, etc -- I > guess because of all the group information in the PAC (i.e. users who > are in a lot of AD groups have larger tickets). > > On my side of the integration, we're never using that PAC information > anyway. Is there a way that I can get rid of that information, either > on the KDC side or on the client side? I am thinking things like:
My understanding is very limited, but I know you can turn this off on the AD-side using something like [1] on at least a per-server basis. I don't have a machine to test with, unfortunately. What applications are you seeing breakage with, NFS itself? I would've expected most programs to not care about sizes (unless they become truly excessive). If it's NFS itself, the article suggests that GSS-Proxy [2] may alleviate some issues as well, though I haven't personally used it with AD. Thanks, --Robbie 1: http://blog.evad.io/2014/11/04/kerberos-protected-nfs-with-active-directory-and-the-pac/ 2: https://fedorahosted.org/gss-proxy/
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
