FYI: Sun Patch breaks Solaris PAM with krb5 enabled
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Fri Apr 26 13:37:43 EDT 2002
Check the permissions & ownership o /usr/lib/security/pam_krb5.so.1
755 root/bin is the correct PERM UID/GID combination.
Also, are you running the pam_krb5 that is distributed with the
Solaris (SEAM) kerberos packages or a third party pam_krb5 module?
-Wyllys
M Glogowski wrote:
> i downloaded the sun patch cluster for solaris 8 and after
> installatiopn/reboot i could not login to the system.
>
> the following patch from the April 19th patch cluster breaks kerberos5 pam
> on solaris 8:
>
> 112237-03 SunOS 5.8: mech_krb5.so.1 patch
>
> with this error:
>
> Apr 24 17:04:02 XXXXXXXXXXXXXX [ID 487707 auth.error] load_modules: cannot
> open module /usr/lib/security/pam_krb5.so.1
>
> via your login screen (dtlogin) you may see an error message: "Cannot load
> PAM modules. Contact your System Administrator"
>
>
>
> my pam.conf kerberos:
>
>
> #
> # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> #
> rlogin auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass debug
> login auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass debug
> dtlogin auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass debug
> other auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass debug
> dtlogin account sufficient /usr/lib/security/$ISA/pam_krb5.so.1 debug
> other account sufficient /usr/lib/security/$ISA/pam_krb5.so.1 debug
> other session sufficient /usr/lib/security/$ISA/pam_krb5.so.1 debug
> other password sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> try_first_pass debug
>
>
>
> performing some checks you will see that it cannot find another module:
>
> root at XXXXXX [root]% ldd /usr/bin/kinit
>
> mech_krb5.so.1 => /usr/lib/gss/gl/mech_krb5.so.1
>
> libnsl.so.1 => /usr/lib/libnsl.so.1
>
> libmp.so.2 => /usr/lib/libmp.so.2
>
> libc.so.1 => /usr/lib/libc.so.1
>
> libdl.so.1 => /usr/lib/libdl.so.1
>
> libresolv.so.2 => /usr/lib/libresolv.so.2
>
> libintl.so.1 => /usr/lib/libintl.so.1
>
> libgss.so.1 => /usr/lib/libgss.so.1
>
> libgss.so.1 (SUNW_1.2) => (version not found)
>
> libsocket.so.1 => /usr/lib/libsocket.so.1
>
> libxfn.so.2 => /usr/lib/libxfn.so.2
>
> /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
>
> root at XXXXX [root]% ldd /usr/lib/security/pam_krb5.so
>
> libc.so.1 => /usr/lib/libc.so.1
>
> libpam.so.1 => /usr/lib/libpam.so.1
>
> libnsl.so.1 => /usr/lib/libnsl.so.1
>
> libsocket.so.1 => /usr/lib/libsocket.so.1
>
> mech_krb5.so.1 => /usr/lib/gss/gl/mech_krb5.so.1
>
> libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1
>
> libmp.so.2 => /usr/lib/libmp.so.2
>
> libdl.so.1 => /usr/lib/libdl.so.1
>
> libintl.so.1 => /usr/lib/libintl.so.1
>
> libxfn.so.2 => /usr/lib/libxfn.so.2
>
> libresolv.so.2 => /usr/lib/libresolv.so.2
>
> libgss.so.1 => /usr/lib/libgss.so.1
>
> libgss.so.1 (SUNW_1.2) => (version not found)
>
> /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
>
>
>
> i don't know where to post a bug request for sun's sunsolve
> patches....anyone know? once the patch was removed the system works fine.
> i dont have an idea what the (SUNW_1.2) under libgss.so.1 is?
>
>
>
> thanks,
>
> -matt
>
> please remove the _NOSPAM from my email address if you wish to respond to me
> directly.
>
>
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list