[HPADM] Problem switching from pam_ntlm to pam_krb5

From: Orwig, Paul (PORWIG@PacificLife.com)
Date: Fri Nov 12 2004 - 13:42:43 EST

• Next message: Marshall, Richard: "[HPADM] NFS mounts Mainframe to UNIX"
• Previous message: Javier González Arenas [ conatel ]: "[HPADM] Re: configure two lan cards in order to lost console dtlogin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This is somewhat complicated so I will be providing as much info as I can
without being too technical. (I hope...)

Problem:
Our Wintel group is moving from Windows 2000 Mixed-Mode Active Directory to
Windows 2003 Active Directory.
Currently pam_ntlm works fine with W2K-AD in mixed mode, but tests with
W2K3-AD don't work. (It looks like admin user/password are needed to query
AD and pam_ntlm is not designed to handle this situation.)

Solution 1:
Switch to pam_krb5.
This works fine with W2K-AD but fails with Upgraded W2K3-AD with the
following error:
KDC has no support for encryption type while getting initial credentials

A test W2K3-AD in "natural" mode and newly added accounts seems to work
fine.
I have found some references to this and the need to change passwords to
update the password encryption, but this doesn't seem to work on the
Upgraded W2K3-AD servers. (i.e. I updated my password, but still get the
encryption error message.)

Has anyone else seen this problem?
How did you "fix" it?

Thanks!

Paul Orwig
UNIX Systems Administration
Pacific Life Annuities and Mutual Funds
Newport Beach, Ca.

------------------------------------------------------------------------------
The information in this e-mail and any attachments are for the sole use of the
intended recipient and may contain privileged and confidential information.
If you are not the intended recipient, any use, disclosure, copying or
distribution of this message or attachment is strictly prohibited. If you
believe that you have received this e-mail in error, please contact the sender
immediately and delete the e-mail and all of its attachments.
==============================================================================

--
             ---> Please post QUESTIONS and SUMMARIES only!! <---
        To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
       Name: hpux-admin@dutchworks.nl     Owner: owner-hpux-admin@dutchworks.nl
 
 Archives:  ftp.dutchworks.nl:/pub/digests/hpux-admin       (FTP, browse only)
            http://www.dutchworks.nl/htbin/hpsysadmin   (Web, browse & search)

• Next message: Marshall, Richard: "[HPADM] NFS mounts Mainframe to UNIX"
• Previous message: Javier González Arenas [ conatel ]: "[HPADM] Re: configure two lan cards in order to lost console dtlogin"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:44 EDT