Bug 128067

Summary: pam_krb5 Active Directory authentication broken
Product: Red Hat Enterprise Linux 3 Reporter: Joshua Daniel Franklin <joshuadfranklin>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: jasonsauve77, k.georgiou, tao
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 19:22:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/pam.d/system-auth
none
/etc/krb5.conf none

Description Joshua Daniel Franklin 2004-07-16 22:45:10 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040207 Firefox/0.8

Description of problem:
We are upgrading from older versions of Red Hat Linux (mostly Red Hat
7.3) and have found that Kerberos authentication broke for us. We use
Active Directory with a Windows Server 2003 as our main KDC.

Installing pam_krb5-1.55-1 from Red Hat 7.3 on a test client works,
but pam_krb5-1.60-1 from Red Hat 9 does not. I also tried the Mandrake
pam_krb5-1.56-2 RPM linked below, which includes some of the changes
between 1.55-1 and 1.60-1:

<http://rpmfind.net//linux/RPM/mandrake/9.1/contrib/i586/pam_krb5-1.56-2mdk.i586.html>

Failure indicated by /var/log/messages:
Jul 16 14:13:44 mass sshd[10685]: pam_krb5: authenticate error: KRB5
error code 52 (-1765328332)
Jul 16 14:13:44 mass sshd[10685]: pam_krb5: authentication fails for
`joshuadf'
Jul 16 14:13:47 mass sshd[10685]: Failed password for joshuadf from
128.95.122.2 32 port 43393 ssh2

This is the same error message (error code 52) as bug #114938, but in
our case downgrading fixes the problem. We would much prefer to stay
with the supported packages. 

Version-Release number of selected component (if applicable):
pam_krb5-1.73-1

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL3 and set krb5 authentication to a Win2k3 Server
2. Attempt to log in

    

Actual Results:  /var/log/messages shows Error Code 52 entries.

Expected Results:  Successful login.

Additional info:
Comment 1 Jason Sauve 2004-07-20 13:07:55 UTC 
Created attachment 102067 [details]
/etc/pam.d/system-auth
Comment 2 Jason Sauve 2004-07-20 13:08:56 UTC 
Created attachment 102068 [details]
/etc/krb5.conf
Comment 3 Jason Sauve 2004-07-20 13:11:29 UTC 
We're using Active Directory on Windows Server 2003 here and pam_krb5-
1.73-1 with no problems, using the same environment as yourself. So 
I'm led to believe there is no problem with the pam_krb5 module. I've 
tested it with RH EL 3, U1 and U2. 

I've attached my system-auth and krb5.conf config files for your 
viewing.

One thing to note is that it is critical that there is proper time 
synchronization between the Kerberos client and the KDC. Any time 
differential > 5 minutes causes kerberos authentication to fail.
Comment 4 Kostas Georgiou 2004-07-20 13:19:20 UTC 
Bug:114938 might be a possible cause of the problem. Not that i can
imagine any reason why it works with older versions of pam_krb5 though.
Comment 5 Jason Sauve 2004-07-20 13:34:35 UTC 
With respect to Bug ID #114938, I'm successfully using

krb5-libs-1.2.7-21
krb5-devel-1.2.7-21
krb5-workstation-1.2.7-21
pam_krb5-1.73-1
Comment 6 Joshua Daniel Franklin 2004-07-20 14:44:17 UTC 
Yes, I know about the time issue and have made sure that time is
properly synchronized. That problem does not give "error code 52" anyway.

Are any of your Active Directory users members of more than 10 groups?

One other thing I've noticed, with the older pam_krb5 it gives me the
message "Password expired.  You must change it now." on login although
Active Directory has "Password never expires." Has the expired
password handling in pam_krb5 changed?
Comment 7 Brett L. Trotter 2004-08-04 19:54:24 UTC 
This could be related to this bug:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938
Comment 8 Brett L. Trotter 2004-08-04 20:05:56 UTC 
sorry about that, missed the above post. Wish there was an option to
delete a comment we posted! =)
Comment 9 imwired 2004-08-19 16:20:29 UTC 
We too (Hertz) are having trouble use Active Directory account for
login.  kinit works. The problem is with new AD accounts migrated from
the old domain controler.  New AD accounts work.  /var/log/messages
reports "authenticate error: KRB5 error code 52 (-1765328332)".

We found the problem is in pam_krb5. 

We fix this in RedHat ES 2.1 by compiling krb5-1.2.4-11 and
pam_krb5-2.0.4-1.  Then we installed pam_krb5-2.0.4-1.i386.rpm,
krb5-devel-1.2.4-11.i386 and krb-libs-1.2.4-11.i386.rpm.

We fix RedHat ES 3 by building pam_krb5-1.73-1 from Fedora Core 1 and
installing it.
Comment 12 RHEL Program Management 2007-10-19 19:22:25 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.