+++ This bug was initially created as a clone of Bug #460722 +++ Description of problem: Unable to use PAM authentication on RHEL 5. Version-Release number of selected component (if applicable): Satellite-5.2.0-RHEL5-re20080825.0-i386-embedded-oracle How reproducible: Steps to Reproduce: 1. Setup Satellite to use PAM authentication. 2. Create a user that uses PAM authentication. 3. Verify that user can SSH into the satellite. 4. Try to login to the Satellite WebUI using this user. Actual results: Either the password or username is incorrect. Expected results: Successful Login. Additional info: This works fine on RHEL 4 with identical configuration. The error from /var/log/secure: Aug 30 00:45:05 rlx-3-14 java: PAM unable to dlopen(/lib/security/pam_krb5.so) Aug 30 00:45:05 rlx-3-14 java: PAM [error: /lib/security/pam_krb5.so: undefined symbol: pam_getenv] Aug 30 00:45:05 rlx-3-14 java: PAM adding faulty module: /lib/security/pam_krb5.so The problem goes away if you install pam-devel. I know we still have pam-devel as a requirement, but I've only seen this WRT the python stack... this is the first time I've seen this in the Java stack, and if it is something that can easily be fixed in 5.2 and then applied to 5.3, all the better. If it is not that simple, then this bug can easily be moved to 5.3. --- Additional comment from bperkins on 2008-08-30 01:08:10 EDT --- FYI, the Python bug I know of is bug 437896. --- Additional comment from jpazdziora on 2008-09-01 08:49:30 EDT --- What is your /etc/pam.d/rhn-satellite? PAM authentication using # cat /etc/pam.d/rhn-satellite #%PAM-1.0 auth required pam_env.so auth sufficient pam_ldap.so auth required pam_deny.so account required pam_ldap.so works OK on my Satellite 5.2.0 on RHEL 5 ... --- Additional comment from jpazdziora on 2008-09-01 09:05:30 EDT --- FYI, PAM's maintainer says: adelton > t8m: Říkají Ti něco chyby z https://bugzilla.redhat.com/show_bug.cgi?id=460722#c0 ? error: /lib/security/pam_krb5.so: undefined symbol: pam_getenv. Je to něco známého? t8m > adelton, tezko rict, ale vypada to jako by pam_krb5.so nemelo libpam v DT_NEEDED adelton > t8m: Milan poznamenal, že adelton > # ldd -r /lib64/security/pam_krb5.so adelton > undefined symbol: pam_getenv (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_set_data (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_putenv (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_get_item (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_strerror (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_set_item (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_get_user (/lib64/security/pam_krb5.so) adelton > undefined symbol: pam_get_data (/lib64/security/pam_krb5.so) adelton > t8m: Mám se toho bát? t8m > adelton, no, za normální situace by to nemělo vadit, protože aplikace, která volá pam_krb5 ho volá stejně z libpam, není mi ale jasné, proč se potom v satelitu ta chyba objevuje t8m > adelton, každopádně by pam_krb5.so v DT_NEEDED mít libpam mělo t8m > adelton, takže to se dá reportovat jako chyba pam_krb5 adelton > t8m: OK, budu Tě citovat. --- Additional comment from bperkins on 2008-09-02 00:46:23 EDT --- We are slightly different, I have the no_user_check... although I don't think that should make a difference: # cat /etc/pam.d/rhn-satellite #%PAM-1.0 auth required pam_env.so auth sufficient pam_krb5.so no_user_check auth required pam_deny.so account required pam_krb5.so no_user_check And yours is working without pam-devel installed? --- Additional comment from jpazdziora on 2008-09-02 03:00:16 EDT --- Yes. But I'm using pam_ldap. In the comment 3, Tomáš mráz says: it looks like pam_krb5.so does not have libpam in DT_NEEDED. Those "undefined symbol" messages from ldd should not really matter because application calling pam_krb5 calls it from libpam anyway, so why this error is showing up in Satellite is not clear. Anyway, pam_krb5.so should have libapm in DT_NEEDED, so this could be reported as pam_krb5 error. In other words -- there seems to be a bug / some nonstandardcy with pam_krb5.so on RHEL 5.
Based on the advice of Tomáš Mráz, I've filed this bugzilla against pam_krb5. Brandon, could you please fill in your pam* versions?
perl-Authen-PAM-0.14-14.el5 PyPAM-0.4.2-20.el5 jpam-0.4-16.el5 pam_passwdqc-1.0.2-1.2.2 pam-0.99.6.2-3.27.el5 pam_smb-1.1.7-7.2.1 pam_krb5-2.2.14-1 pam-devel-0.99.6.2-3.27.el5 pam_ccreds-3-5 pam_pkcs11-0.5.3-23
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0135.html
*** Bug 432277 has been marked as a duplicate of this bug. ***