Bug 173055 - 32-Bit libraries referenced in /etc/pam.d instead of 64-bit
Summary: 32-Bit libraries referenced in /etc/pam.d instead of 64-bit
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: cyrus-imapd
Version: 4.0
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Petr Rockai
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
: 192550 (view as bug list)
Depends On:
Blocks: 176344
TreeView+ depends on / blocked
 
Reported: 2005-11-13 09:19 UTC by Dirk Gfroerer
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2007-05-01 17:15:10 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0258 normal SHIPPED_LIVE cyrus-imapd bug fix update 2007-05-01 17:14:55 UTC

Description Dirk Gfroerer 2005-11-13 09:19:32 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050921 Red Hat/1.0.7-1.4.1 Firefox/1.0.7

Description of problem:
Installed RHEL 4 U2 ES on a new dual Intel Xeon server. Used the AMD64/EM64T version of RHEL. The server is also used as an IMAP / POP3 server. So we installed cyrus. The authentication is done using saslauthd.
The cryus package creates the /etc/pam.d/imap and /etc/pam.d/pop3 files. These files contain references to the pam_stack.so library. However the reference is in the form /lib/security/pam_stack.so. This seems to be wrong on an AMD64/EM64T machine, since we were getting the following errors:

Nov 12 10:51:46 ghlx02 saslauthd[3986]: PAM unable to dlopen(/lib/security/pam_stack.so)
Nov 12 10:51:46 ghlx02 saslauthd[3986]: PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory]
Nov 12 10:51:46 ghlx02 saslauthd[3986]: PAM adding faulty module: /lib/security/pam_stack.so
Nov 12 10:51:46 ghlx02 saslauthd[3986]: do_auth         : auth failure: [user=digf] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

Replacing /lib/security/pam_stack.so with /lib64/security/pam_stack.so in the pam files solved the issue.

Version-Release number of selected component (if applicable):
cyrus-imapd-2.2.12-3.RHEL4.1

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 4U2 x86_64 and cyrus.
2. Choses saslauthd for authentication (default)
3. Try to connect to the imap / pop3 server
  

Actual Results:  Authtentication not possible, errors in /var/log/messages

Expected Results:  Authentication possible.

Additional info:
Comment 1 Shane A. Stillwell 2006-02-20 17:12:27 UTC 
Same exact problem here.

Hardware
Dell PowerEdge 430sc Dual Core
1GB RAM

Software
RHEL 4.2 EL x86_64

Kernel
2.6.9-22.ELsmp

RPMs
pam-0.77-66.11
cyrus-imapd-2.2.12-3.RHEL4.1
cyrus-sasl-2.1.19-5.EL4

-----Error message from saslauthd---
Feb 18 23:46:50 wesley saslauthd[11329]: PAM unable to
dlopen(/lib/security/pam_stack.so)
Feb 18 23:46:50 wesley saslauthd[11329]: PAM [dlerror:
/lib/security/pam_stack.so: cannot open shared object file: No such file or
directory]
Feb 18 23:46:50 wesley saslauthd[11329]: PAM adding faulty module:
/lib/security/pam_stack.so
Feb 18 23:46:50 wesley saslauthd[11329]: do_auth         : auth failure:
[user=sstillwell] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

===================================

Cyrus uses saslauthd to authenticate. 
/etc/imapd.conf
---- snip ---
# Authentication
admins: cyrus
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
allowanonymouslogin: false
 
=========================================

Saslauthd uses pam to authenticate
/etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled to use.
MECH=pam

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=-n 1

==================================

Pam uses LDAP to authenticate.

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

===========================================


Hack:
Replaced /lib/security/pam_stack.so with /lib64/security/pam_stack.so

This fixed the issue, but as noted it's only a hack. It should be fixed
upstream. Thanks.
Comment 3 Petr Rockai 2006-05-30 16:52:59 UTC 
*** Bug 192550 has been marked as a duplicate of this bug. ***
Comment 5 RHEL Product and Program Management 2006-08-18 17:02:33 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 12 Shane A. Stillwell 2007-02-28 17:07:08 UTC 
Ran into this same problem on a different server this time.  It was during an
upgrade to the latest packages that this started happening again.

Hardware:
Dell PowerEdge 2850

Redhat Enterprise Linux 4 update 4
2.6.9-42.0.10.ELsmp

Same thing started happening, giving error messages of 
========================================
Feb 28 10:57:20 faramir saslauthd[3260]: PAM unable to
dlopen(/lib/security/pam_stack.so)
Feb 28 10:57:20 faramir saslauthd[3260]: PAM [dlerror:
/lib/security/pam_stack.so: cannot open shared object file: No such file or
directory]
Feb 28 10:57:20 faramir saslauthd[3260]: PAM adding faulty module:
/lib/security/pam_stack.so
Feb 28 10:57:20 faramir saslauthd[3260]: do_auth         : auth failure:
[user=myusername] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
========================================

The hack again fixed this issue.  Copying the /lib64/security/pam_stack.so to
/lib/security/pam_stack.so

This bug has been replicated on two different platforms with similar scenarios.

Authentication for IMAP goes like this.
cyrus-imap -> saslauthd -> pam -> ldap

It only seems to be the cyrus-imapd that has a problem.  I also have
authentication for Postfix using saslauthd and it works fine.
Comment 13 Red Hat Bugzilla 2007-05-01 17:15:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0258.html
Note You need to log in before you can comment on or make changes to this bug.