11738 – unable to dlopen (/lib/security/pam_krb5.so)

Bug 11738 - unable to dlopen (/lib/security/pam_krb5.so)

Summary: unable to dlopen (/lib/security/pam_krb5.so)

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	pam_krb5
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2000-05-29 23:38 UTC by C. Ray Ng
Modified:	2008-05-01 15:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2000-07-17 19:29:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description C. Ray Ng 2000-05-29 23:38:30 UTC

Looks like the pam_krb5 rpm has not been updated to match the
remake of krb5-1.1.1-16 releases. Login using pam_krb5 failed:

login: PAM adding faulty module: /lib/security/pam_krb5.so

Comment 1 Nalin Dahyabhai 2000-05-31 03:19:02 UTC

What are the contents of /etc/pam.d/login?  Are there any messages preceding
this line in /var/log/messages that would indicate what it is that's making the
module faulty?

Comment 2 Nalin Dahyabhai 2000-06-04 17:12:15 UTC

> Here is my previous /etc/pam.d/login which worked under
> krb5-workstation-1.0.5:
>
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_krb5.so
> auth       sufficient   /lib/security/pam_pwdb.so shadow nullok
> account    required     /lib/security/pam_pwdb.so
> password   required     /lib/security/pam_cracklib.so
> password   required     /lib/security/pam_pwdb.so nullok use_authtok md5
shadow
> session    required     /lib/security/pam_pwdb.so
> session    optional     /lib/security/pam_console.so
> 
> And the updated /etc/pam.d/login (copied from
/usr/doc/pam_krb5-1/pam.d/login):
> 
> #%PAM-1.0
> auth    required        /lib/security/pam_securetty.so
> auth    required        /lib/security/pam_nologin.so
> auth    sufficient      /lib/security/pam_unix.so shadow md5 nullok likeauth
> auth    required        /lib/security/pam_krb5.so use_first_pass
> account required        /lib/security/pam_unix.so
> password        required        /lib/security/pam_cracklib.so
> password        required        /lib/security/pam_unix.so shadow md5 nullok
use_authtok
> session required        /lib/security/pam_unix.so
> session optional        /lib/security/pam_krb5.so
> session optional        /lib/security/pam_console.so
>
> Section of /var/log/message related to pam while logging in on the console:
> 
> May 31 13:55:51 lnxhost login: PAM unable to dlopen(/lib/security/pam_krb5.so)
> May 31 13:55:51 lnxhost login: PAM [dlerror: libkrbafs.so.1: cannot open 
> shared object file: No such file or directory]
> May 31 13:55:51 lnxhost login: PAM adding faulty module: 
> /lib/security/pam_krb5.so
> May 31 13:55:54 lnxhost PAM_unix[1878]: authentication
> failure;LOGIN(uid=0) -> crn for login service
> May 31 13:55:57 lnxhost login[1878]: FAILED LOGIN SESSION FROM (null)
> FOR crn, Module is unknown
> May 31 13:55:59 lnxhost login: PAM unable to
> dlopen(/lib/security/pam_krb5.so)
> May 31 13:55:59 lnxhost login: PAM [dlerror: libkrbafs.so.1: cannot open
> shared object file: No such file or directory]
> May 31 13:55:59 lnxhost login: PAM adding faulty module:
> /lib/security/pam_krb5.so
> May 31 13:56:03 lnxhost PAM_unix[1959]: authentication failure;
> LOGIN(uid=0) -> crn for login service
>
> We don't use AFS here, so the message about missing libkrbafs.so is
> expected, I suppose.
> Remote klogin works okay, BTW.

We've never shipped Kerberos 5 1.0.5.  A problem loading the krbafs.so.1 shared
library is what's causing the module to not load properly.  Do you have the
krbafs package installed?

Comment 3 Nalin Dahyabhai 2000-06-07 23:16:14 UTC

> But when I tried to install krbafs.so from krbafs-1.0-3,
> ldconfig gave me a warning and skipping over it:
>
> /sbin/ldconfig: warning: can't open /usr/lib/qt-2.0.1/lib
> (No such file or directory), skipping
>
>  can be found in qt-Xt-2.1.0 or qt-devel-2.1.0,
> but no where can I find qt-2.0.1 on the CDs. Is it a typo or
> I have to go back to version 2.0.1?

No, but for some reason you still have /usr/lib/qt-2.0.1/lib listed in your
/etc/ld.so.conf file.  Open it up in a text editor and remove it.

Comment 4 Jeremy Katz 2000-07-17 15:12:12 UTC

Was this problem taken care of by installing the krbafs package?  I can't
reproduce in rawhide or 6.2 with the krbafs package installed on the system.

Comment 5 C. Ray Ng 2000-07-17 19:29:15 UTC

Resulution of this problem:

1) Install krbafs package to satify a reference for libkrbafs.so,
   even AFS is not in use. (Should it be put in dependence check
   for installing krb5?)

2) Remove /usr/lib/qt-2.0.1 in /etc/ld.so.conf if it appeared there.

3) Replace all files /etc/pam.d with those in /usr/doc/pam_krb-1/pam.d
   (One should be very careful about the wholesale changes if local
    modifications/policies were made.)

4) The kde pam file is missing in /usr/doc/pam_krb_1/pam.d, so one
   need to copy, say, /etc/pam.d/xdm to /etc/pam.d/kde.

Now it works like a charm.

Comment 6 Nalin Dahyabhai 2000-07-21 22:05:00 UTC

Looks like that solved it.  The new authconfig/pam setup in Raw Hide
should simplify enabling Kerberos 5 support (as well as making it much
safer and easier to back it out) in subsequent releases.

Note You need to log in before you can comment on or make changes to this bug.