Red Hat Bugzilla – Bug 128067
pam_krb5 Active Directory authentication broken
Last modified: 2007-11-30 17:07:03 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Description of problem:
We are upgrading from older versions of Red Hat Linux (mostly Red Hat
7.3) and have found that Kerberos authentication broke for us. We use
Active Directory with a Windows Server 2003 as our main KDC.
Installing pam_krb5-1.55-1 from Red Hat 7.3 on a test client works,
but pam_krb5-1.60-1 from Red Hat 9 does not. I also tried the Mandrake
pam_krb5-1.56-2 RPM linked below, which includes some of the changes
between 1.55-1 and 1.60-1:
Failure indicated by /var/log/messages:
Jul 16 14:13:44 mass sshd: pam_krb5: authenticate error: KRB5
error code 52 (-1765328332)
Jul 16 14:13:44 mass sshd: pam_krb5: authentication fails for
Jul 16 14:13:47 mass sshd: Failed password for joshuadf from
22.214.171.124 32 port 43393 ssh2
This is the same error message (error code 52) as bug #114938, but in
our case downgrading fixes the problem. We would much prefer to stay
with the supported packages.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install RHEL3 and set krb5 authentication to a Win2k3 Server
2. Attempt to log in
Actual Results: /var/log/messages shows Error Code 52 entries.
Expected Results: Successful login.
Created attachment 102067 [details]
Created attachment 102068 [details]
We're using Active Directory on Windows Server 2003 here and pam_krb5-
1.73-1 with no problems, using the same environment as yourself. So
I'm led to believe there is no problem with the pam_krb5 module. I've
tested it with RH EL 3, U1 and U2.
I've attached my system-auth and krb5.conf config files for your
One thing to note is that it is critical that there is proper time
synchronization between the Kerberos client and the KDC. Any time
differential > 5 minutes causes kerberos authentication to fail.
Bug:114938 might be a possible cause of the problem. Not that i can
imagine any reason why it works with older versions of pam_krb5 though.
With respect to Bug ID #114938, I'm successfully using
Yes, I know about the time issue and have made sure that time is
properly synchronized. That problem does not give "error code 52" anyway.
Are any of your Active Directory users members of more than 10 groups?
One other thing I've noticed, with the older pam_krb5 it gives me the
message "Password expired. You must change it now." on login although
Active Directory has "Password never expires." Has the expired
password handling in pam_krb5 changed?
This could be related to this bug:
sorry about that, missed the above post. Wish there was an option to
delete a comment we posted! =)
We too (Hertz) are having trouble use Active Directory account for
login. kinit works. The problem is with new AD accounts migrated from
the old domain controler. New AD accounts work. /var/log/messages
reports "authenticate error: KRB5 error code 52 (-1765328332)".
We found the problem is in pam_krb5.
We fix this in RedHat ES 2.1 by compiling krb5-1.2.4-11 and
pam_krb5-2.0.4-1. Then we installed pam_krb5-2.0.4-1.i386.rpm,
krb5-devel-1.2.4-11.i386 and krb-libs-1.2.4-11.i386.rpm.
We fix RedHat ES 3 by building pam_krb5-1.73-1 from Fedora Core 1 and
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.