Red Hat Bugzilla – Full Text Bug Listing
|Summary:||1.7 -> 2.04 breaks authentication against Active Directory|
|Product:||[Fedora] Fedora||Reporter:||David L. Parsley <parsley>|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED INSUFFICIENT_DATA||QA Contact:|
|Version:||1||CC:||karel, mattdm, me, m.keir|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-10-25 16:42:02 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description David L. Parsley 2003-11-06 16:30:33 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031030 Epiphany/1.0.4 Description of problem: Using the new pam_krb5, auth fails, and I find this in /var/log/messages: Nov 6 15:24:45 ioreth login: pam_krb5: authentication fails for 'parsley': Authentication failure (KDC reply did not match expectations) I built the 1.70 version, rpm -e pam_krb5, rpm -Uvh pam_krb5-1.70-1, and it works; no config changes needed. (same config that worked for RH8 and RHEL3) Sniffing the wire, I saw an error like KRB5KDC_PREAUTH_REQUIRED twice. (error code from memory) Version-Release number of selected component (if applicable): pam_krb5-2.0.4 How reproducible: Always Steps to Reproduce: 1. Setup active directory on w2k 2. Configure kerberos with correct realm & your.ad.server:88 3. Try logging in Actual Results: Login failed Expected Results: Login succeeding Additional info:
Comment 1 aleahy 2003-11-19 13:01:39 EST
I posted a question about this problem to the fedora list, but didn't receive a reply. I don't think it's helpful, but here's the output from /var/log/secure when debug is turned on in the pam_krb5 module. Nov 19 11:41:53 huygens sshd: pam_krb5: default/local realm 'KNOX.EDU' Nov 19 11:41:53 huygens sshd: pam_krb5: configured realm 'KNOX.EDU' Nov 19 11:41:53 huygens sshd: pam_krb5: flags: forwardable Nov 19 11:41:53 huygens sshd: pam_krb5: flag: user_check Nov 19 11:41:53 huygens sshd: pam_krb5: flag: no krb4_convert Nov 19 11:41:53 huygens sshd: pam_krb5: flag: warn Nov 19 11:41:53 huygens sshd: pam_krb5: renewable lifetime: 36000 Nov 19 11:41:53 huygens sshd: pam_krb5: banner: Kerberos 5 Nov 19 11:41:53 huygens sshd: pam_krb5: ccache dir: /tmp Nov 19 11:41:53 huygens sshd: pam_krb5: keytab: /etc/krb5.keytab Nov 19 11:41:53 huygens sshd: pam_krb5: called to update credentials for 'aleahy' Nov 19 11:41:53 huygens sshd: pam_krb5: _pam_krb5_sly_refresh returning 0 (Success) The same message as discussed in the original bug report shows up in /var/log/messages. As I mentioned in my e-mail to the fedora list, I came up with a link to another report of this when I googled the problem: http://web.brandeis.edu/pages/view/Bio/FedoraCore1Notes This page refers to this problem as a "major problem". I have to agree. Having my default authentication scheme fail during the upgrade is a major headache to deal with.
Comment 2 Nalin Dahyabhai 2003-11-19 13:45:32 EST
Yeah, I was still sorting out what was going on. You're getting a KRB5_KDCREP_MODIFIED error because the AD server receives a request for a TGT with (lifetime= 24 hours, renewable_time = 10 hours) and responds with a TGT with (lifetime=24 hours, renewable_time = 24 hours), and libkrb5 treats that as an error. (You can reproduce this with kinit by passing -l 24:00:00 -r 10:00:00 on its command line.) A quick fix is to change the renew_lifetime setting in /etc/krb5.conf to something higher than 24 hours (24 * 60 * 60 = 86400) or drop it to zero, so that the requested TGT won't be renewable. This wasn't a problem before because the default requested lifetime was 10 hours in krb5 1.2, and that corresponded with the renewable lifetime in the default configuration. The default requested lifetime was upped to 24 hours in krb5 1.3. With the current combination of krb5 and pam_krb5 in FC1, the default requested lifetime can't be changed, either. pam_krb5 2.0.x doesn't support that option, because I mistakenly believed that it would duplicate some of the functionality of libkrb5. That'll have to be fixed.
Comment 3 karel 2003-11-20 08:51:23 EST
Thanks, Nalin. I wrote the webpage above and your quickfix of setting renew_lifetime=86500 in /etc/krb5.conf works for me. I'll update my page.
Comment 4 Nalin Dahyabhai 2003-11-25 19:30:25 EST
I'm pushing out a test (watch for mail on fedora-test-list) which should honor ticket_lifetime in the [appdefaults] "pam" section again. This should make the default settings in /etc/krb5.conf work again. Please test it and follow up here, whether it works or not. Thanks!
Comment 5 Nalin Dahyabhai 2003-12-18 15:37:27 EST
The pam_krb5-1.0.5-1 update in FC1 testing should fix this bug. Please test it and follow up here (even if it works, which is what I expect).
Comment 6 Need Real Name 2004-02-10 04:24:33 EST
After updating to pam_krb5-2.0.5-1 this morning and following the listed steps above, I have authentication against AD working OK except in the case that the local password is the same as the AD password for the same username. If you make the password different, it works fine but when they are the same, the following shows up in /var/log/secure (with debug set in /etc/krb5.conf) --- Feb 10 19:15:25 s913mklap login: pam_krb5: krb5_get_init_creds_password(krbtgt/QUT.EDU.AU@QUT.EDU.AU) returned -1765328360 (Preauthentication failed) Feb 10 19:15:25 s913mklap login: pam_krb5: pam_acct_mgmt returning 7 (Authentication failure) --- logins as root or use of su also not functional (especially if minimum_uid set). Am using authconfig and redhat-config-authentication to select/deselect authentication details. I suspect that on the machines I am applying this I can work around the same password problem but the root login is a bit of an annoyance.
Comment 8 Matthew Miller 2006-07-11 13:45:15 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thanks! NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy project. After Fedora Core 6 Test 2 is released (currently scheduled for July 26th), there will be no more security updates for FC1. Please use these next two weeks to upgrade any remaining FC1 systems to a current release.
Comment 9 John Thacker 2006-10-25 16:42:02 EDT
Closing per lack of response. Also note that FC1 and FC2 are no longer supported even by Fedora Legacy. If this still occurs on FC3 or FC4, please assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6, please reopen and assign to the correct version.