PAM / krb5 shared library problems - Kerberos

This is a discussion on PAM / krb5 shared library problems - Kerberos ; I built MIT Kerberos 1.5.1 and pam_krb5.so (3.1) on RHEL 3 and I am getting the following errors with PAM. I strongly suspect there is something misconfigured on my system that is making the symbols in pam_krb5.so not match those ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: PAM / krb5 shared library problems

  1. PAM / krb5 shared library problems

    I built MIT Kerberos 1.5.1 and pam_krb5.so (3.1) on RHEL 3 and I am
    getting the following errors with PAM. I strongly suspect there is
    something misconfigured on my system that is making the symbols in
    pam_krb5.so not match those in /usr/local/lib/libkrb5.so.3. I tried
    configuring pam with and without krb5-config (no change). Any ideas
    what I am doing wrong or how to fix this? Sorry if this is a little too
    verbose, I just wanted to include the needed information. It appears
    that the krb5_cc_store_cred symbol referenced in pam is in a different
    namespace than the one in libkrb5.so.

    Any help is greatly appreciated.

    Jan 12 14:28:05 workstation1 sshd[20010]: PAM unable to
    dlopen(/lib/security/$ISA/pam_krb5.so)
    Jan 12 14:28:05 workstation1 sshd[20010]: PAM [dlerror:
    /lib/security/../../lib/security/pam_krb5.so: symbol krb5_cc_store_cred,
    version krb5_3_MIT not defined in file libkrb5.so.3 with link time
    reference]
    Jan 12 14:28:05 workstation1 sshd[20010]: PAM adding faulty module:
    /lib/security/$ISA/pam_krb5.so


    [root@workstation1 local]# nm /lib/security/pam_krb5.so
    U access@@GLIBC_2.0
    00007484 A __bss_start
    000025fc t build_ccache_name
    00002200 t cache_init
    00001e60 t call_gmon_start
    U calloc@@GLIBC_2.0
    000022d8 t canonicalize_name
    U chown@@GLIBC_2.1
    U close@@GLIBC_2.0
    00007484 b completed.1
    00002778 t create_session_context
    0000732c d __CTOR_END__
    00007328 d __CTOR_LIST__
    w __cxa_finalize@@GLIBC_2.1.3
    00004714 t default_boolean
    00004690 t default_number
    00004624 t default_string
    0000474c t default_time
    00005984 t __do_global_ctors_aux
    00001e84 t __do_global_dtors_aux
    00007240 d __dso_handle
    00007334 d __DTOR_END__
    00007330 d __DTOR_LIST__
    00007248 A _DYNAMIC
    00007484 A _edata
    0000623c r __EH_FRAME_BEGIN__
    00007488 A _end
    U __errno_location@@GLIBC_2.0
    U error_message@@com_err_3_MIT
    U fclose@@GLIBC_2.1
    U fgets@@GLIBC_2.0
    U fileno@@GLIBC_2.0
    000059b8 T _fini
    U fopen@@GLIBC_2.1
    00001eec t frame_dummy
    0000623c r __FRAME_END__
    U free@@GLIBC_2.0
    U __fxstat@@GLIBC_2.0
    U getenv@@GLIBC_2.0
    000020dc t get_krb5ccname
    00002ee0 t get_new_password
    U getpid@@GLIBC_2.0
    U getpwnam@@GLIBC_2.0
    0000733c A _GLOBAL_OFFSET_TABLE_
    w __gmon_start__
    00001998 T _init
    00007338 d __JCR_END__
    00007338 d __JCR_LIST__
    w _Jv_RegisterClasses
    00003604 t k5login_password_auth
    U krb5_aname_to_localname@@krb5_3_MIT
    U krb5_appdefault_boolean@@krb5_3_MIT
    U krb5_appdefault_string@@krb5_3_MIT
    U krb5_cc_close@@krb5_3_MIT
    U krb5_cc_default_name@@krb5_3_MIT
    U krb5_cc_destroy@@krb5_3_MIT
    U krb5_cc_end_seq_get@@krb5_3_MIT
    U krb5_cc_get_name@@krb5_3_MIT
    U krb5_cc_get_principal@@krb5_3_MIT
    U krb5_cc_initialize@@krb5_3_MIT
    U krb5_cc_next_cred@@krb5_3_MIT
    U krb5_cc_resolve@@krb5_3_MIT
    U krb5_cc_start_seq_get@@krb5_3_MIT
    U krb5_cc_store_cred@@krb5_3_MIT
    U krb5_change_password@@krb5_3_MIT
    U krb5_free_context@@krb5_3_MIT
    U krb5_free_cred_contents@@krb5_3_MIT
    U krb5_free_data_contents@@krb5_3_MIT
    U krb5_free_principal@@krb5_3_MIT
    U krb5_get_default_realm@@krb5_3_MIT
    U krb5_get_init_creds_opt_init@@krb5_3_MIT
    U krb5_get_init_creds_opt_set_forwardable@@krb5_3_MI T
    U krb5_get_init_creds_opt_set_renew_life@@krb5_3_MIT
    U krb5_get_init_creds_opt_set_tkt_life@@krb5_3_MIT
    U krb5_get_init_creds_password@@krb5_3_MIT
    U krb5_init_context@@krb5_3_MIT
    U krb5_kt_resolve@@krb5_3_MIT
    U krb5_kuserok@@krb5_3_MIT
    U krb5_parse_name@@krb5_3_MIT
    U krb5_set_default_realm@@krb5_3_MIT
    U krb5_string_to_deltat@@krb5_3_MIT
    U krb5_unparse_name@@krb5_3_MIT
    U krb5_verify_init_creds@@krb5_3_MIT
    U krb5_verify_init_creds_opt_init@@krb5_3_MIT
    U malloc@@GLIBC_2.0
    U memcpy@@GLIBC_2.0
    U memset@@GLIBC_2.0
    U mkstemp@@GLIBC_2.0
    00007244 d p.0
    U pam_get_data
    U pam_getenv
    U pam_get_item
    U pam_get_user
    0000453c T pamk5_args_free
    000044c8 t pamk5_args_new
    000047f8 T pamk5_args_parse
    00005864 T pamk5_authorized
    00003e1c T pamk5_compat_free_data_contents
    00003ef0 T pamk5_compat_free_realm
    00003e40 T pamk5_compat_get_err_text
    00003e60 T pamk5_compat_set_realm
    00004164 T pamk5_context_destroy
    00004054 T pamk5_context_fetch
    000040a4 T pamk5_context_free
    00003f38 T pamk5_context_new
    000052ac T pamk5_conv
    000041f4 T pamk5_credlist_append
    00004244 T pamk5_credlist_copy
    000041a0 T pamk5_credlist_free
    00004190 T pamk5_credlist_new
    000042dc T pamk5_credlist_store
    0000439c T pamk5_debug
    00004460 T pamk5_debug_krb5
    00004420 T pamk5_debug_pam
    00004324 T pamk5_error
    0000506c T pamk5_get_password
    00003930 T pamk5_password_auth
    000053cc T pamk5_prompter_krb5
    000057d8 T pamk5_should_ignore
    U pam_putenv
    U pam_set_data
    U pam_set_item
    00001f28 T pam_sm_acct_mgmt
    000023a4 T pam_sm_authenticate
    00003218 T pam_sm_chauthtok
    000034a0 T pam_sm_close_session
    00003478 T pam_sm_open_session
    00002908 T pam_sm_setcred
    U pam_strerror
    000034cc t parse_name
    000030a0 t password_change
    0000359c t set_credential_options
    0000211c t set_krb5ccname
    U snprintf@@GLIBC_2.0
    U sprintf@@GLIBC_2.0
    U strchr@@GLIBC_2.0
    U strcmp@@GLIBC_2.0
    U strcpy@@GLIBC_2.0
    U __strdup@@GLIBC_2.0
    U strerror@@GLIBC_2.0
    U strncat@@GLIBC_2.0
    U strncpy@@GLIBC_2.0
    U __strtol_internal@@GLIBC_2.0
    U syslog@@GLIBC_2.0
    U vsnprintf@@GLIBC_2.0



    [root@workstation1 local]# ldd -r /lib/security/pam_krb5.so
    libpam.so.0 => /lib/libpam.so.0 (0x004ae000)
    libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x00156000)
    libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x0072d000)
    libc.so.6 => /lib/tls/libc.so.6 (0x00d9c000)
    libdl.so.2 => /lib/libdl.so.2 (0x00799000)
    liblaus.so.1 => /lib/liblaus.so.1 (0x00111000)
    libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x00c4f000)
    libkrb5support.so.0 => /usr/local/lib/libkrb5support.so.0
    (0x003dc000)
    libresolv.so.2 => /lib/libresolv.so.2 (0x005d6000)
    /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00667000)


    [root@workstation1 local]# nm /usr/local/lib/libkrb5.so.3|grep
    krb5_cc_store
    000399cc T krb5_cc_store_cred

    Jacob Williams
    Systems Engineer (QSS Group Inc.)
    116th MI GP; Fort Gordon, GA
    706-791-0344 DSN 780-0344

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: PAM / krb5 shared library problems



    Williams, Jacob A CTR USA 116th (QSS) wrote:
    > I built MIT Kerberos 1.5.1 and pam_krb5.so (3.1) on RHEL 3 and I am
    > getting the following errors with PAM. I strongly suspect there is
    > something misconfigured on my system that is making the symbols in
    > pam_krb5.so not match those in /usr/local/lib/libkrb5.so.3. I tried
    > configuring pam with and without krb5-config (no change). Any ideas
    > what I am doing wrong or how to fix this? Sorry if this is a little too
    > verbose, I just wanted to include the needed information. It appears
    > that the krb5_cc_store_cred symbol referenced in pam is in a different
    > namespace than the one in libkrb5.so.
    >
    > Any help is greatly appreciated.
    >


    Was sshd built with kerberos, and is using a diferent version?
    ldd sshd should show this. If so it might load the wrong version.

    Does sshd work if you start it with
    LD_LIBRARY_PATH=/usr/local/lib
    set in the env?

    Was pam_krb5 built with a -rpath to /usr/local/lib to it would
    look there first for shared libs?

    Did you copy your pam_krb5 to /usr/lib/security?
    Or did you give the full path in the pam.conf.


    > Jan 12 14:28:05 workstation1 sshd[20010]: PAM unable to
    > dlopen(/lib/security/$ISA/pam_krb5.so)
    > Jan 12 14:28:05 workstation1 sshd[20010]: PAM [dlerror:
    > /lib/security/../../lib/security/pam_krb5.so: symbol krb5_cc_store_cred,
    > version krb5_3_MIT not defined in file libkrb5.so.3 with link time
    > reference]
    > Jan 12 14:28:05 workstation1 sshd[20010]: PAM adding faulty module:
    > /lib/security/$ISA/pam_krb5.so
    >
    >
    > [root@workstation1 local]# nm /lib/security/pam_krb5.so
    > U access@@GLIBC_2.0
    > 00007484 A __bss_start
    > 000025fc t build_ccache_name
    > 00002200 t cache_init
    > 00001e60 t call_gmon_start
    > U calloc@@GLIBC_2.0
    > 000022d8 t canonicalize_name
    > U chown@@GLIBC_2.1
    > U close@@GLIBC_2.0
    > 00007484 b completed.1
    > 00002778 t create_session_context
    > 0000732c d __CTOR_END__
    > 00007328 d __CTOR_LIST__
    > w __cxa_finalize@@GLIBC_2.1.3
    > 00004714 t default_boolean
    > 00004690 t default_number
    > 00004624 t default_string
    > 0000474c t default_time
    > 00005984 t __do_global_ctors_aux
    > 00001e84 t __do_global_dtors_aux
    > 00007240 d __dso_handle
    > 00007334 d __DTOR_END__
    > 00007330 d __DTOR_LIST__
    > 00007248 A _DYNAMIC
    > 00007484 A _edata
    > 0000623c r __EH_FRAME_BEGIN__
    > 00007488 A _end
    > U __errno_location@@GLIBC_2.0
    > U error_message@@com_err_3_MIT
    > U fclose@@GLIBC_2.1
    > U fgets@@GLIBC_2.0
    > U fileno@@GLIBC_2.0
    > 000059b8 T _fini
    > U fopen@@GLIBC_2.1
    > 00001eec t frame_dummy
    > 0000623c r __FRAME_END__
    > U free@@GLIBC_2.0
    > U __fxstat@@GLIBC_2.0
    > U getenv@@GLIBC_2.0
    > 000020dc t get_krb5ccname
    > 00002ee0 t get_new_password
    > U getpid@@GLIBC_2.0
    > U getpwnam@@GLIBC_2.0
    > 0000733c A _GLOBAL_OFFSET_TABLE_
    > w __gmon_start__
    > 00001998 T _init
    > 00007338 d __JCR_END__
    > 00007338 d __JCR_LIST__
    > w _Jv_RegisterClasses
    > 00003604 t k5login_password_auth
    > U krb5_aname_to_localname@@krb5_3_MIT
    > U krb5_appdefault_boolean@@krb5_3_MIT
    > U krb5_appdefault_string@@krb5_3_MIT
    > U krb5_cc_close@@krb5_3_MIT
    > U krb5_cc_default_name@@krb5_3_MIT
    > U krb5_cc_destroy@@krb5_3_MIT
    > U krb5_cc_end_seq_get@@krb5_3_MIT
    > U krb5_cc_get_name@@krb5_3_MIT
    > U krb5_cc_get_principal@@krb5_3_MIT
    > U krb5_cc_initialize@@krb5_3_MIT
    > U krb5_cc_next_cred@@krb5_3_MIT
    > U krb5_cc_resolve@@krb5_3_MIT
    > U krb5_cc_start_seq_get@@krb5_3_MIT
    > U krb5_cc_store_cred@@krb5_3_MIT
    > U krb5_change_password@@krb5_3_MIT
    > U krb5_free_context@@krb5_3_MIT
    > U krb5_free_cred_contents@@krb5_3_MIT
    > U krb5_free_data_contents@@krb5_3_MIT
    > U krb5_free_principal@@krb5_3_MIT
    > U krb5_get_default_realm@@krb5_3_MIT
    > U krb5_get_init_creds_opt_init@@krb5_3_MIT
    > U krb5_get_init_creds_opt_set_forwardable@@krb5_3_MI T
    > U krb5_get_init_creds_opt_set_renew_life@@krb5_3_MIT
    > U krb5_get_init_creds_opt_set_tkt_life@@krb5_3_MIT
    > U krb5_get_init_creds_password@@krb5_3_MIT
    > U krb5_init_context@@krb5_3_MIT
    > U krb5_kt_resolve@@krb5_3_MIT
    > U krb5_kuserok@@krb5_3_MIT
    > U krb5_parse_name@@krb5_3_MIT
    > U krb5_set_default_realm@@krb5_3_MIT
    > U krb5_string_to_deltat@@krb5_3_MIT
    > U krb5_unparse_name@@krb5_3_MIT
    > U krb5_verify_init_creds@@krb5_3_MIT
    > U krb5_verify_init_creds_opt_init@@krb5_3_MIT
    > U malloc@@GLIBC_2.0
    > U memcpy@@GLIBC_2.0
    > U memset@@GLIBC_2.0
    > U mkstemp@@GLIBC_2.0
    > 00007244 d p.0
    > U pam_get_data
    > U pam_getenv
    > U pam_get_item
    > U pam_get_user
    > 0000453c T pamk5_args_free
    > 000044c8 t pamk5_args_new
    > 000047f8 T pamk5_args_parse
    > 00005864 T pamk5_authorized
    > 00003e1c T pamk5_compat_free_data_contents
    > 00003ef0 T pamk5_compat_free_realm
    > 00003e40 T pamk5_compat_get_err_text
    > 00003e60 T pamk5_compat_set_realm
    > 00004164 T pamk5_context_destroy
    > 00004054 T pamk5_context_fetch
    > 000040a4 T pamk5_context_free
    > 00003f38 T pamk5_context_new
    > 000052ac T pamk5_conv
    > 000041f4 T pamk5_credlist_append
    > 00004244 T pamk5_credlist_copy
    > 000041a0 T pamk5_credlist_free
    > 00004190 T pamk5_credlist_new
    > 000042dc T pamk5_credlist_store
    > 0000439c T pamk5_debug
    > 00004460 T pamk5_debug_krb5
    > 00004420 T pamk5_debug_pam
    > 00004324 T pamk5_error
    > 0000506c T pamk5_get_password
    > 00003930 T pamk5_password_auth
    > 000053cc T pamk5_prompter_krb5
    > 000057d8 T pamk5_should_ignore
    > U pam_putenv
    > U pam_set_data
    > U pam_set_item
    > 00001f28 T pam_sm_acct_mgmt
    > 000023a4 T pam_sm_authenticate
    > 00003218 T pam_sm_chauthtok
    > 000034a0 T pam_sm_close_session
    > 00003478 T pam_sm_open_session
    > 00002908 T pam_sm_setcred
    > U pam_strerror
    > 000034cc t parse_name
    > 000030a0 t password_change
    > 0000359c t set_credential_options
    > 0000211c t set_krb5ccname
    > U snprintf@@GLIBC_2.0
    > U sprintf@@GLIBC_2.0
    > U strchr@@GLIBC_2.0
    > U strcmp@@GLIBC_2.0
    > U strcpy@@GLIBC_2.0
    > U __strdup@@GLIBC_2.0
    > U strerror@@GLIBC_2.0
    > U strncat@@GLIBC_2.0
    > U strncpy@@GLIBC_2.0
    > U __strtol_internal@@GLIBC_2.0
    > U syslog@@GLIBC_2.0
    > U vsnprintf@@GLIBC_2.0
    >
    >
    >
    > [root@workstation1 local]# ldd -r /lib/security/pam_krb5.so
    > libpam.so.0 => /lib/libpam.so.0 (0x004ae000)
    > libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x00156000)
    > libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x0072d000)
    > libc.so.6 => /lib/tls/libc.so.6 (0x00d9c000)
    > libdl.so.2 => /lib/libdl.so.2 (0x00799000)
    > liblaus.so.1 => /lib/liblaus.so.1 (0x00111000)
    > libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x00c4f000)
    > libkrb5support.so.0 => /usr/local/lib/libkrb5support.so.0
    > (0x003dc000)
    > libresolv.so.2 => /lib/libresolv.so.2 (0x005d6000)
    > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00667000)
    >
    >
    > [root@workstation1 local]# nm /usr/local/lib/libkrb5.so.3|grep
    > krb5_cc_store
    > 000399cc T krb5_cc_store_cred
    >
    > Jacob Williams
    > Systems Engineer (QSS Group Inc.)
    > 116th MI GP; Fort Gordon, GA
    > 706-791-0344 DSN 780-0344
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread