diff --git a/check.c b/check.c
index 071cbd426..b6e7cdcee 100644
--- a/check.c
+++ b/check.c
@@ -581,7 +581,11 @@ int sudo_krb_validate_user(user, pass)
     (void) sprintf(tkfile, "%s/tkt%d", _PATH_SUDO_TIMEDIR, uid);
     (void) krb_set_tkt_string(tkfile);
 
-    /* Update the ticket if password is ok */
+    /*
+     * Update the ticket if password is ok.  Kerb4 expects
+     * the ruid and euid to be the same here so we setuid to root.
+     */
+    set_perms(PERM_ROOT);
     k_errno = krb_get_pw_in_tkt(user, "", realm, "krbtgt", realm,
 	DEFAULT_TKT_LIFE, pass);
 
@@ -595,6 +599,9 @@ int sudo_krb_validate_user(user, pass)
 	(void) fprintf(stderr, "Warning: Kerberos error: %s\n",
 		       krb_err_txt[k_errno]);
 
+    /* done with rootly stuff */
+    set_perms(PERM_USER);
+
     return(!(k_errno == INTK_OK));
 }
 #endif /* HAVE_KERB4 */