From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8 Description of problem: We are upgrading from older versions of Red Hat Linux (mostly Red Hat 7.3) and have found that Kerberos authentication broke for us. We use Active Directory with a Windows Server 2003 as our main KDC. Installing pam_krb5-1.55-1 from Red Hat 7.3 on a test client works, but pam_krb5-1.60-1 from Red Hat 9 does not. I also tried the Mandrake pam_krb5-1.56-2 RPM linked below, which includes some of the changes between 1.55-1 and 1.60-1: <http://rpmfind.net//linux/RPM/mandrake/9.1/contrib/i586/pam_krb5-1.56-2mdk.i586.html> Failure indicated by /var/log/messages: Jul 16 14:13:44 mass sshd[10685]: pam_krb5: authenticate error: KRB5 error code 52 (-1765328332) Jul 16 14:13:44 mass sshd[10685]: pam_krb5: authentication fails for `joshuadf' Jul 16 14:13:47 mass sshd[10685]: Failed password for joshuadf from 128.95.122.2 32 port 43393 ssh2 This is the same error message (error code 52) as bug #114938, but in our case downgrading fixes the problem. We would much prefer to stay with the supported packages. Version-Release number of selected component (if applicable): pam_krb5-1.73-1 How reproducible: Always Steps to Reproduce: 1. Install RHEL3 and set krb5 authentication to a Win2k3 Server 2. Attempt to log in Actual Results: /var/log/messages shows Error Code 52 entries. Expected Results: Successful login. Additional info:
Created attachment 102067 [details] /etc/pam.d/system-auth
Created attachment 102068 [details] /etc/krb5.conf
We're using Active Directory on Windows Server 2003 here and pam_krb5- 1.73-1 with no problems, using the same environment as yourself. So I'm led to believe there is no problem with the pam_krb5 module. I've tested it with RH EL 3, U1 and U2. I've attached my system-auth and krb5.conf config files for your viewing. One thing to note is that it is critical that there is proper time synchronization between the Kerberos client and the KDC. Any time differential > 5 minutes causes kerberos authentication to fail.
Bug:114938 might be a possible cause of the problem. Not that i can imagine any reason why it works with older versions of pam_krb5 though.
With respect to Bug ID #114938, I'm successfully using krb5-libs-1.2.7-21 krb5-devel-1.2.7-21 krb5-workstation-1.2.7-21 pam_krb5-1.73-1
Yes, I know about the time issue and have made sure that time is properly synchronized. That problem does not give "error code 52" anyway. Are any of your Active Directory users members of more than 10 groups? One other thing I've noticed, with the older pam_krb5 it gives me the message "Password expired. You must change it now." on login although Active Directory has "Password never expires." Has the expired password handling in pam_krb5 changed?
This could be related to this bug: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=114938
sorry about that, missed the above post. Wish there was an option to delete a comment we posted! =)
We too (Hertz) are having trouble use Active Directory account for login. kinit works. The problem is with new AD accounts migrated from the old domain controler. New AD accounts work. /var/log/messages reports "authenticate error: KRB5 error code 52 (-1765328332)". We found the problem is in pam_krb5. We fix this in RedHat ES 2.1 by compiling krb5-1.2.4-11 and pam_krb5-2.0.4-1. Then we installed pam_krb5-2.0.4-1.i386.rpm, krb5-devel-1.2.4-11.i386 and krb-libs-1.2.4-11.i386.rpm. We fix RedHat ES 3 by building pam_krb5-1.73-1 from Fedora Core 1 and installing it.
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.