Bug 11738

Summary: unable to dlopen (/lib/security/pam_krb5.so)
Product: [Retired] Red Hat Linux Reporter: C. Ray Ng <crn1>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2CC: katzj
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-07-17 19:29:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description C. Ray Ng 2000-05-29 23:38:30 UTC 
Looks like the pam_krb5 rpm has not been updated to match the
remake of krb5-1.1.1-16 releases. Login using pam_krb5 failed:

login: PAM adding faulty module: /lib/security/pam_krb5.so
Comment 1 Nalin Dahyabhai 2000-05-31 03:19:02 UTC 
What are the contents of /etc/pam.d/login?  Are there any messages preceding
this line in /var/log/messages that would indicate what it is that's making the
module faulty?
Comment 2 Nalin Dahyabhai 2000-06-04 17:12:15 UTC 
> Here is my previous /etc/pam.d/login which worked under
> krb5-workstation-1.0.5:
>
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_krb5.so
> auth       sufficient   /lib/security/pam_pwdb.so shadow nullok
> account    required     /lib/security/pam_pwdb.so
> password   required     /lib/security/pam_cracklib.so
> password   required     /lib/security/pam_pwdb.so nullok use_authtok md5
shadow
> session    required     /lib/security/pam_pwdb.so
> session    optional     /lib/security/pam_console.so
> 
> And the updated /etc/pam.d/login (copied from
/usr/doc/pam_krb5-1/pam.d/login):
> 
> #%PAM-1.0
> auth    required        /lib/security/pam_securetty.so
> auth    required        /lib/security/pam_nologin.so
> auth    sufficient      /lib/security/pam_unix.so shadow md5 nullok likeauth
> auth    required        /lib/security/pam_krb5.so use_first_pass
> account required        /lib/security/pam_unix.so
> password        required        /lib/security/pam_cracklib.so
> password        required        /lib/security/pam_unix.so shadow md5 nullok
use_authtok
> session required        /lib/security/pam_unix.so
> session optional        /lib/security/pam_krb5.so
> session optional        /lib/security/pam_console.so
>
> Section of /var/log/message related to pam while logging in on the console:
> 
> May 31 13:55:51 lnxhost login: PAM unable to dlopen(/lib/security/pam_krb5.so)
> May 31 13:55:51 lnxhost login: PAM [dlerror: libkrbafs.so.1: cannot open 
> shared object file: No such file or directory]
> May 31 13:55:51 lnxhost login: PAM adding faulty module: 
> /lib/security/pam_krb5.so
> May 31 13:55:54 lnxhost PAM_unix[1878]: authentication
> failure;LOGIN(uid=0) -> crn for login service
> May 31 13:55:57 lnxhost login[1878]: FAILED LOGIN SESSION FROM (null)
> FOR crn, Module is unknown
> May 31 13:55:59 lnxhost login: PAM unable to
> dlopen(/lib/security/pam_krb5.so)
> May 31 13:55:59 lnxhost login: PAM [dlerror: libkrbafs.so.1: cannot open
> shared object file: No such file or directory]
> May 31 13:55:59 lnxhost login: PAM adding faulty module:
> /lib/security/pam_krb5.so
> May 31 13:56:03 lnxhost PAM_unix[1959]: authentication failure;
> LOGIN(uid=0) -> crn for login service
>
> We don't use AFS here, so the message about missing libkrbafs.so is
> expected, I suppose.
> Remote klogin works okay, BTW.

We've never shipped Kerberos 5 1.0.5.  A problem loading the krbafs.so.1 shared
library is what's causing the module to not load properly.  Do you have the
krbafs package installed?
Comment 3 Nalin Dahyabhai 2000-06-07 23:16:14 UTC 
> But when I tried to install krbafs.so from krbafs-1.0-3,
> ldconfig gave me a warning and skipping over it:
>
> /sbin/ldconfig: warning: can't open /usr/lib/qt-2.0.1/lib
> (No such file or directory), skipping
>
>  can be found in qt-Xt-2.1.0 or qt-devel-2.1.0,
> but no where can I find qt-2.0.1 on the CDs. Is it a typo or
> I have to go back to version 2.0.1?

No, but for some reason you still have /usr/lib/qt-2.0.1/lib listed in your
/etc/ld.so.conf file.  Open it up in a text editor and remove it.
Comment 4 Jeremy Katz 2000-07-17 15:12:12 UTC 
Was this problem taken care of by installing the krbafs package?  I can't
reproduce in rawhide or 6.2 with the krbafs package installed on the system.
Comment 5 C. Ray Ng 2000-07-17 19:29:15 UTC 
Resulution of this problem:

1) Install krbafs package to satify a reference for libkrbafs.so,
   even AFS is not in use. (Should it be put in dependence check
   for installing krb5?)

2) Remove /usr/lib/qt-2.0.1 in /etc/ld.so.conf if it appeared there.

3) Replace all files /etc/pam.d with those in /usr/doc/pam_krb-1/pam.d
   (One should be very careful about the wholesale changes if local
    modifications/policies were made.)

4) The kde pam file is missing in /usr/doc/pam_krb_1/pam.d, so one
   need to copy, say, /etc/pam.d/xdm to /etc/pam.d/kde.

Now it works like a charm.
Comment 6 Nalin Dahyabhai 2000-07-21 22:05:00 UTC 
Looks like that solved it.  The new authconfig/pam setup in Raw Hide
should simplify enabling Kerberos 5 support (as well as making it much
safer and easier to back it out) in subsequent releases.