Bug 460998 - PAM unable to dlopen(/lib/security/pam_krb5.so)
PAM unable to dlopen(/lib/security/pam_krb5.so)
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
5.2
All Linux
high Severity high
: rc
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
: 432277 (view as bug list)
Depends On:
Blocks: 460722
  Show dependency treegraph
 
Reported: 2008-09-03 04:42 EDT by Jan Pazdziora
Modified: 2016-08-23 12:05 EDT (History)
5 users (show)

See Also:
Fixed In Version: 2.2.14-7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:19:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2008-09-03 04:42:30 EDT
+++ This bug was initially created as a clone of Bug #460722 +++

Description of problem:
Unable to use PAM authentication on RHEL 5.

Version-Release number of selected component (if applicable):
Satellite-5.2.0-RHEL5-re20080825.0-i386-embedded-oracle

How reproducible:


Steps to Reproduce:
1. Setup Satellite to use PAM authentication.
2. Create a user that uses PAM authentication.
3. Verify that user can SSH into the satellite.
4. Try to login to the Satellite WebUI using this user.
  
Actual results:
Either the password or username is incorrect.

Expected results:
Successful Login.

Additional info:
This works fine on RHEL 4 with identical configuration.
The error from /var/log/secure:

Aug 30 00:45:05 rlx-3-14 java: PAM unable to dlopen(/lib/security/pam_krb5.so)
Aug 30 00:45:05 rlx-3-14 java: PAM [error: /lib/security/pam_krb5.so: undefined symbol: pam_getenv]
Aug 30 00:45:05 rlx-3-14 java: PAM adding faulty module: /lib/security/pam_krb5.so


The problem goes away if you install pam-devel.  I know we still have pam-devel as a requirement, but I've only seen this WRT the python stack... this is the first time I've seen this in the Java stack, and if it is something that can easily be fixed in 5.2 and then applied to 5.3, all the better.  If it is not that simple, then this bug can easily be moved to 5.3.

--- Additional comment from bperkins@redhat.com on 2008-08-30 01:08:10 EDT ---

FYI, the Python bug I know of is bug 437896.

--- Additional comment from jpazdziora@redhat.com on 2008-09-01 08:49:30 EDT ---

What is your /etc/pam.d/rhn-satellite? PAM authentication using

# cat /etc/pam.d/rhn-satellite 
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_ldap.so
auth        required      pam_deny.so
account     required      pam_ldap.so

works OK on my Satellite 5.2.0 on RHEL 5 ...

--- Additional comment from jpazdziora@redhat.com on 2008-09-01 09:05:30 EDT ---

FYI, PAM's maintainer says:

adelton > t8m: Říkají Ti něco chyby z https://bugzilla.redhat.com/show_bug.cgi?id=460722#c0 ? error: /lib/security/pam_krb5.so: undefined symbol: pam_getenv. Je to něco známého?
t8m > adelton, tezko rict, ale vypada to jako by pam_krb5.so nemelo libpam v DT_NEEDED
adelton > t8m: Milan poznamenal, že
adelton > # ldd -r /lib64/security/pam_krb5.so
adelton > undefined symbol: pam_getenv (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_set_data (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_putenv (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_get_item (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_strerror (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_set_item (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_get_user (/lib64/security/pam_krb5.so)
adelton > undefined symbol: pam_get_data (/lib64/security/pam_krb5.so)
adelton > t8m: Mám se toho bát?
t8m > adelton, no, za normální situace by to nemělo vadit, protože aplikace, která volá pam_krb5 ho volá stejně z libpam, není mi ale jasné, proč se potom v satelitu ta chyba objevuje
t8m > adelton, každopádně by pam_krb5.so v DT_NEEDED mít libpam mělo
t8m > adelton, takže to se dá reportovat jako chyba pam_krb5
adelton > t8m: OK, budu Tě citovat.

--- Additional comment from bperkins@redhat.com on 2008-09-02 00:46:23 EDT ---

We are slightly different, I have the no_user_check... although I don't think that should make a difference:

# cat /etc/pam.d/rhn-satellite 
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_krb5.so no_user_check
auth        required      pam_deny.so
account     required      pam_krb5.so no_user_check

And yours is working without pam-devel installed?

--- Additional comment from jpazdziora@redhat.com on 2008-09-02 03:00:16 EDT ---

Yes. But I'm using pam_ldap.

In the comment 3, Tomáš mráz says: it looks like pam_krb5.so does not have libpam in DT_NEEDED. Those "undefined symbol" messages from ldd should not really matter because application calling pam_krb5 calls it from libpam anyway, so why this error is showing up in Satellite is not clear. Anyway, pam_krb5.so should have libapm in DT_NEEDED, so this could be reported as pam_krb5 error.

In other words -- there seems to be a bug / some nonstandardcy with pam_krb5.so on RHEL 5.
Comment 1 Jan Pazdziora 2008-09-03 04:44:10 EDT
Based on the advice of Tomáš Mráz, I've filed this bugzilla against pam_krb5.

Brandon, could you please fill in your pam* versions?
Comment 3 Brandon Perkins 2008-09-03 12:12:30 EDT
perl-Authen-PAM-0.14-14.el5
PyPAM-0.4.2-20.el5
jpam-0.4-16.el5
pam_passwdqc-1.0.2-1.2.2
pam-0.99.6.2-3.27.el5
pam_smb-1.1.7-7.2.1
pam_krb5-2.2.14-1
pam-devel-0.99.6.2-3.27.el5
pam_ccreds-3-5
pam_pkcs11-0.5.3-23
Comment 10 errata-xmlrpc 2009-01-20 16:19:38 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0135.html
Comment 11 Nalin Dahyabhai 2009-06-10 14:31:10 EDT
*** Bug 432277 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.