Bug 109331 - 1.7 -> 2.04 breaks authentication against Active Directory
Summary: 1.7 -> 2.04 breaks authentication against Active Directory
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5   
(Show other bugs)
Version: 1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2003-11-06 21:30 UTC by David L. Parsley
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-25 20:42:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description David L. Parsley 2003-11-06 21:30:33 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031030 Epiphany/1.0.4

Description of problem:
Using the new pam_krb5, auth fails, and I find this in /var/log/messages:
Nov  6 15:24:45 ioreth login[4105]: pam_krb5[4105]: authentication
fails for 'parsley': Authentication failure (KDC reply did not match

I built the 1.70 version, rpm -e pam_krb5, rpm -Uvh pam_krb5-1.70-1,
and it works; no config changes needed.  (same config that worked for
RH8 and RHEL3)

Sniffing the wire, I saw an error like KRB5KDC_PREAUTH_REQUIRED twice.
(error code from memory)

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Setup active directory on w2k
2. Configure kerberos with correct realm & your.ad.server:88
3. Try logging in

Actual Results:  Login failed

Expected Results:  Login succeeding

Additional info:

Comment 1 aleahy 2003-11-19 18:01:39 UTC
I posted a question about this problem to the fedora list, but didn't
receive a reply.  I don't think it's helpful, but here's the output
from /var/log/secure when debug is turned on in the pam_krb5 module.  

Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: default/local
realm 'KNOX.EDU'
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: configured realm
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: flags: forwardable
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: flag: user_check
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: flag: no krb4_convert
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: flag: warn
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: renewable
lifetime: 36000
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: banner: Kerberos 5
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: ccache dir: /tmp
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: keytab:
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]: called to update
credentials for 'aleahy'
Nov 19 11:41:53 huygens sshd[4949]: pam_krb5[4949]:
_pam_krb5_sly_refresh returning 0 (Success)

The same message as discussed in the original bug report shows up
in /var/log/messages.  As I mentioned in my e-mail to the fedora list,
I came up with a link to another report of this when I googled the


This page refers to this problem as a "major problem".  I have to
agree.  Having my default authentication scheme fail during the
upgrade is a major headache to deal with.

Comment 2 Nalin Dahyabhai 2003-11-19 18:45:32 UTC
Yeah, I was still sorting out what was going on.

You're getting a KRB5_KDCREP_MODIFIED error because the AD server
receives a request for a TGT with (lifetime= 24 hours, renewable_time
= 10 hours) and responds with a TGT with (lifetime=24 hours,
renewable_time = 24 hours), and libkrb5 treats that as an error.  (You
can reproduce this with kinit by passing -l 24:00:00 -r 10:00:00 on
its command line.)

A quick fix is to change the renew_lifetime setting in /etc/krb5.conf
to something higher than 24 hours (24 * 60 * 60 = 86400) or drop it to
zero, so that the requested TGT won't be renewable.

This wasn't a problem before because the default requested lifetime
was 10 hours in krb5 1.2, and that corresponded with the renewable
lifetime in the default configuration.  The default requested lifetime
was upped to 24 hours in krb5 1.3.

With the current combination of krb5 and pam_krb5 in FC1, the default
requested lifetime can't be changed, either.  pam_krb5 2.0.x doesn't
support that option, because I mistakenly believed that it would
duplicate some of the functionality of libkrb5.  That'll have to be fixed.

Comment 3 karel 2003-11-20 13:51:23 UTC
Thanks, Nalin. I wrote the webpage above and your quickfix of setting 
renew_lifetime=86500 in /etc/krb5.conf works for me. I'll update my page. 

Comment 4 Nalin Dahyabhai 2003-11-26 00:30:25 UTC
I'm pushing out a test (watch for mail on fedora-test-list) which
should honor ticket_lifetime in the [appdefaults] "pam" section again.
 This should make the default settings in /etc/krb5.conf work again. 
Please test it and follow up here, whether it works or not.  Thanks!

Comment 5 Nalin Dahyabhai 2003-12-18 20:37:27 UTC
The pam_krb5-1.0.5-1 update in FC1 testing should fix this bug.  Please
test it and follow up here (even if it works, which is what I expect).

Comment 6 Need Real Name 2004-02-10 09:24:33 UTC
After updating to pam_krb5-2.0.5-1 this morning and following the
listed steps above, I have authentication against AD working OK except
in the case that the local password is the same as the AD password for
the same username.  If you make the password different, it works fine
but when they are the same, the following shows up in /var/log/secure
(with debug set in /etc/krb5.conf)
Feb 10 19:15:25 s913mklap login: pam_krb5[10970]:
krb5_get_init_creds_password(krbtgt/QUT.EDU.AU@QUT.EDU.AU) returned
-1765328360 (Preauthentication failed)
Feb 10 19:15:25 s913mklap login: pam_krb5[10970]: pam_acct_mgmt
returning 7 (Authentication failure)
logins as root or use of su also not functional (especially if
minimum_uid set).  Am using authconfig and
redhat-config-authentication to select/deselect authentication details.
I suspect that on the machines I am applying this I can work around
the same password problem but the root login is a bit of an annoyance.

Comment 7 Michael Young 2004-06-11 15:26:18 UTC
#6 is probably a bug 113247 

Comment 8 Matthew Miller 2006-07-11 17:45:15 UTC
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.


NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 9 John Thacker 2006-10-25 20:42:02 UTC
Closing per lack of response.  Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.

Note You need to log in before you can comment on or make changes to this bug.