Red Hat Bugzilla – Bug 173055
32-Bit libraries referenced in /etc/pam.d instead of 64-bit
Last modified: 2007-11-30 17:07:21 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050921 Red Hat/1.0.7-1.4.1 Firefox/1.0.7 Description of problem: Installed RHEL 4 U2 ES on a new dual Intel Xeon server. Used the AMD64/EM64T version of RHEL. The server is also used as an IMAP / POP3 server. So we installed cyrus. The authentication is done using saslauthd. The cryus package creates the /etc/pam.d/imap and /etc/pam.d/pop3 files. These files contain references to the pam_stack.so library. However the reference is in the form /lib/security/pam_stack.so. This seems to be wrong on an AMD64/EM64T machine, since we were getting the following errors: Nov 12 10:51:46 ghlx02 saslauthd[3986]: PAM unable to dlopen(/lib/security/pam_stack.so) Nov 12 10:51:46 ghlx02 saslauthd[3986]: PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory] Nov 12 10:51:46 ghlx02 saslauthd[3986]: PAM adding faulty module: /lib/security/pam_stack.so Nov 12 10:51:46 ghlx02 saslauthd[3986]: do_auth : auth failure: [user=digf] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Replacing /lib/security/pam_stack.so with /lib64/security/pam_stack.so in the pam files solved the issue. Version-Release number of selected component (if applicable): cyrus-imapd-2.2.12-3.RHEL4.1 How reproducible: Always Steps to Reproduce: 1. Install RHEL 4U2 x86_64 and cyrus. 2. Choses saslauthd for authentication (default) 3. Try to connect to the imap / pop3 server Actual Results: Authtentication not possible, errors in /var/log/messages Expected Results: Authentication possible. Additional info:
Same exact problem here. Hardware Dell PowerEdge 430sc Dual Core 1GB RAM Software RHEL 4.2 EL x86_64 Kernel 2.6.9-22.ELsmp RPMs pam-0.77-66.11 cyrus-imapd-2.2.12-3.RHEL4.1 cyrus-sasl-2.1.19-5.EL4 -----Error message from saslauthd--- Feb 18 23:46:50 wesley saslauthd[11329]: PAM unable to dlopen(/lib/security/pam_stack.so) Feb 18 23:46:50 wesley saslauthd[11329]: PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory] Feb 18 23:46:50 wesley saslauthd[11329]: PAM adding faulty module: /lib/security/pam_stack.so Feb 18 23:46:50 wesley saslauthd[11329]: do_auth : auth failure: [user=sstillwell] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] =================================== Cyrus uses saslauthd to authenticate. /etc/imapd.conf ---- snip --- # Authentication admins: cyrus sasl_pwcheck_method: saslauthd sasl_mech_list: PLAIN allowanonymouslogin: false ========================================= Saslauthd uses pam to authenticate /etc/sysconfig/saslauthd # Directory in which to place saslauthd's listening socket, pid file, and so # on. This directory must already exist. SOCKETDIR=/var/run/saslauthd # Mechanism to use when checking passwords. Run "saslauthd -v" to get a list # of which mechanism your installation was compiled to use. MECH=pam # Additional flags to pass to saslauthd on the command line. See saslauthd(8) # for the list of accepted flags. FLAGS=-n 1 ================================== Pam uses LDAP to authenticate. /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so =========================================== Hack: Replaced /lib/security/pam_stack.so with /lib64/security/pam_stack.so This fixed the issue, but as noted it's only a hack. It should be fixed upstream. Thanks.
*** Bug 192550 has been marked as a duplicate of this bug. ***
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Ran into this same problem on a different server this time. It was during an upgrade to the latest packages that this started happening again. Hardware: Dell PowerEdge 2850 Redhat Enterprise Linux 4 update 4 2.6.9-42.0.10.ELsmp Same thing started happening, giving error messages of ======================================== Feb 28 10:57:20 faramir saslauthd[3260]: PAM unable to dlopen(/lib/security/pam_stack.so) Feb 28 10:57:20 faramir saslauthd[3260]: PAM [dlerror: /lib/security/pam_stack.so: cannot open shared object file: No such file or directory] Feb 28 10:57:20 faramir saslauthd[3260]: PAM adding faulty module: /lib/security/pam_stack.so Feb 28 10:57:20 faramir saslauthd[3260]: do_auth : auth failure: [user=myusername] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] ======================================== The hack again fixed this issue. Copying the /lib64/security/pam_stack.so to /lib/security/pam_stack.so This bug has been replicated on two different platforms with similar scenarios. Authentication for IMAP goes like this. cyrus-imap -> saslauthd -> pam -> ldap It only seems to be the cyrus-imapd that has a problem. I also have authentication for Postfix using saslauthd and it works fine.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0258.html