+++ This bug was initially created as a clone of Bug #460722 +++

Description of problem:
Unable to use PAM authentication on RHEL 5.

Version-Release number of selected component (if applicable):
Satellite-5.2.0-RHEL5-re20080825.0-i386-embedded-oracle

How reproducible:


Steps to Reproduce:
1. Setup Satellite to use PAM authentication.
2. Create a user that uses PAM authentication.
3. Verify that user can SSH into the satellite.
4. Try to login to the Satellite WebUI using this user.
  
Actual results:
Either the password or username is incorrect.

Expected results:
Successful Login.

Additional info:
This works fine on RHEL 4 with identical configuration.
The error from /var/log/secure:

Aug 30 00:45:05 rlx-3-14 java: PAM unable to dlopen(/lib/security/pam_krb5.so)
Aug 30 00:45:05 rlx-3-14 java: PAM [error: /lib/security/pam_krb5.so: undefined symbol: pam_getenv]
Aug 30 00:45:05 rlx-3-14 java: PAM adding faulty module: /lib/security/pam_krb5.so


The problem goes away if you install pam-devel.  I know we still have pam-devel as a requirement, but I've only seen this WRT the python stack... this is the first time I've seen this in the Java stack, and if it is something that can easily be fixed in 5.2 and then applied to 5.3, all the better.  If it is not that simple, then this bug can easily be moved to 5.3.

--- Additional comment from bperkins on 2008-08-30 01:08:10 EDT ---

FYI, the Python bug I know of is bug 437896.

--- Additional comment from jpazdziora on 2008-09-01 08:49:30 EDT ---

What is your /etc/pam.d/rhn-satellite? PAM authentication using

# cat /etc/pam.d/rhn-satellite 
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so
account     required      pam_ldap.so

works OK on my Satellite 5.2.0 on RHEL 5 ...

--- Additional comment from jpazdziora on 2008-09-01 09:05:30 EDT ---

FYI, PAM's maintainer says:

adelton > t8m: Říkají Ti něco chyby z https://bugzilla.redhat.com/show_bug.cgi?id=460722#c0 ? error: /lib/security/pam_krb5.so: undefined symbol: pam_getenv. Je to něco známého?
t8m > adelton, tezko rict, ale vypada to jako by pam_krb5.so nemelo libpam v DT_NEEDED
adelton > t8m: Milan poznamenal, že
adelton > # ldd -r /lib64/security/pam_krb5.so
adelton > undefined symbol: pam_getenv (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_set_data (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_putenv (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_get_item (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_strerror (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_set_item (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_get_user (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_get_data (/lib64/security/pam_krb5.so)
adelton > t8m: Mám se toho bát?
t8m > adelton, no, za normální situace by to nemělo vadit, protože aplikace, která volá pam_krb5 ho volá stejně z libpam, není mi ale jasné, proč se potom v satelitu ta chyba objevuje
t8m > adelton, každopádně by pam_krb5.so v DT_NEEDED mít libpam mělo
t8m > adelton, takže to se dá reportovat jako chyba pam_krb5
adelton > t8m: OK, budu Tě citovat.

--- Additional comment from bperkins on 2008-09-02 00:46:23 EDT ---

We are slightly different, I have the no_user_check... although I don't think that should make a difference:

# cat /etc/pam.d/rhn-satellite 
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_krb5.so no_user_check
auth        required      pam_deny.so
account     required      pam_krb5.so no_user_check

And yours is working without pam-devel installed?

--- Additional comment from jpazdziora on 2008-09-02 03:00:16 EDT ---

Yes. But I'm using pam_ldap.

In the comment 3, Tomáš mráz says: it looks like pam_krb5.so does not have libpam in DT_NEEDED. Those "undefined symbol" messages from ldd should not really matter because application calling pam_krb5 calls it from libpam anyway, so why this error is showing up in Satellite is not clear. Anyway, pam_krb5.so should have libapm in DT_NEEDED, so this could be reported as pam_krb5 error.

In other words -- there seems to be a bug / some nonstandardcy with pam_krb5.so on RHEL 5.