Bug 128067
Summary: | pam_krb5 Active Directory authentication broken | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Joshua Daniel Franklin <joshuadfranklin> | ||||||
Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Brian Brock <bbrock> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 3.0 | CC: | jasonsauve77, k.georgiou, tao | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i686 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2007-10-19 19:22:25 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Joshua Daniel Franklin
2004-07-16 22:45:10 UTC
Created attachment 102067 [details]
/etc/pam.d/system-auth
Created attachment 102068 [details]
/etc/krb5.conf
We're using Active Directory on Windows Server 2003 here and pam_krb5- 1.73-1 with no problems, using the same environment as yourself. So I'm led to believe there is no problem with the pam_krb5 module. I've tested it with RH EL 3, U1 and U2. I've attached my system-auth and krb5.conf config files for your viewing. One thing to note is that it is critical that there is proper time synchronization between the Kerberos client and the KDC. Any time differential > 5 minutes causes kerberos authentication to fail. Bug:114938 might be a possible cause of the problem. Not that i can imagine any reason why it works with older versions of pam_krb5 though. With respect to Bug ID #114938, I'm successfully using krb5-libs-1.2.7-21 krb5-devel-1.2.7-21 krb5-workstation-1.2.7-21 pam_krb5-1.73-1 Yes, I know about the time issue and have made sure that time is properly synchronized. That problem does not give "error code 52" anyway. Are any of your Active Directory users members of more than 10 groups? One other thing I've noticed, with the older pam_krb5 it gives me the message "Password expired. You must change it now." on login although Active Directory has "Password never expires." Has the expired password handling in pam_krb5 changed? This could be related to this bug: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938 sorry about that, missed the above post. Wish there was an option to delete a comment we posted! =) We too (Hertz) are having trouble use Active Directory account for login. kinit works. The problem is with new AD accounts migrated from the old domain controler. New AD accounts work. /var/log/messages reports "authenticate error: KRB5 error code 52 (-1765328332)". We found the problem is in pam_krb5. We fix this in RedHat ES 2.1 by compiling krb5-1.2.4-11 and pam_krb5-2.0.4-1. Then we installed pam_krb5-2.0.4-1.i386.rpm, krb5-devel-1.2.4-11.i386 and krb-libs-1.2.4-11.i386.rpm. We fix RedHat ES 3 by building pam_krb5-1.73-1 from Fedora Core 1 and installing it. This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you. |