FYI: Sun Patch breaks Solaris PAM with krb5 enabled

Matthew E Glogowski matthewg at theworld.com
Fri Apr 26 15:26:26 EDT 2002


hi,

yes i used the built-in sun kerberos package from sun. the permissions
were correct othe file, the problem is with the programs such as kinit
trying to reference a libgss.so.1 (SUNW_1.2) version which is not on the
system.

thanks,

-matt

On Fri, 26 Apr 2002, Wyllys Ingersoll wrote:

>
> Check the permissions & ownership o /usr/lib/security/pam_krb5.so.1
> 755 root/bin is the correct PERM UID/GID combination.
>
> Also, are you running the pam_krb5 that is distributed with the
> Solaris (SEAM) kerberos packages or a third party pam_krb5 module?
>
> -Wyllys
>
>
>
> M Glogowski wrote:
> > i downloaded the sun patch cluster for solaris 8 and after
> > installatiopn/reboot i could not login to the system.
> >
> > the following patch from the April 19th patch cluster breaks kerberos5 pam
> > on solaris 8:
> >
> > 112237-03 SunOS 5.8: mech_krb5.so.1 patch
> >
> > with this error:
> >
> > Apr 24 17:04:02 XXXXXXXXXXXXXX [ID 487707 auth.error] load_modules: cannot
> > open module /usr/lib/security/pam_krb5.so.1
> >
> > via your login screen (dtlogin) you may see an error message: "Cannot load
> > PAM modules. Contact your System Administrator"
> >
> >
> >
> > my pam.conf kerberos:
> >
> >
> > #
> > # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> > #
> > rlogin  auth     sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > try_first_pass debug
> > login   auth     sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > try_first_pass debug
> > dtlogin auth     sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > try_first_pass debug
> > other   auth     sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > try_first_pass debug
> > dtlogin account  sufficient /usr/lib/security/$ISA/pam_krb5.so.1 debug
> > other   account  sufficient /usr/lib/security/$ISA/pam_krb5.so.1 debug
> > other   session  sufficient /usr/lib/security/$ISA/pam_krb5.so.1 debug
> > other   password sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > try_first_pass debug
> >
> >
> >
> > performing some checks you will see that it cannot find another module:
> >
> > root at XXXXXX [root]% ldd /usr/bin/kinit
> >
> > mech_krb5.so.1 => /usr/lib/gss/gl/mech_krb5.so.1
> >
> > libnsl.so.1 => /usr/lib/libnsl.so.1
> >
> > libmp.so.2 => /usr/lib/libmp.so.2
> >
> > libc.so.1 => /usr/lib/libc.so.1
> >
> > libdl.so.1 => /usr/lib/libdl.so.1
> >
> > libresolv.so.2 => /usr/lib/libresolv.so.2
> >
> > libintl.so.1 => /usr/lib/libintl.so.1
> >
> > libgss.so.1 => /usr/lib/libgss.so.1
> >
> > libgss.so.1 (SUNW_1.2) => (version not found)
> >
> > libsocket.so.1 => /usr/lib/libsocket.so.1
> >
> > libxfn.so.2 => /usr/lib/libxfn.so.2
> >
> > /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
> >
> > root at XXXXX [root]% ldd /usr/lib/security/pam_krb5.so
> >
> > libc.so.1 => /usr/lib/libc.so.1
> >
> > libpam.so.1 => /usr/lib/libpam.so.1
> >
> > libnsl.so.1 => /usr/lib/libnsl.so.1
> >
> > libsocket.so.1 => /usr/lib/libsocket.so.1
> >
> > mech_krb5.so.1 => /usr/lib/gss/gl/mech_krb5.so.1
> >
> > libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1
> >
> > libmp.so.2 => /usr/lib/libmp.so.2
> >
> > libdl.so.1 => /usr/lib/libdl.so.1
> >
> > libintl.so.1 => /usr/lib/libintl.so.1
> >
> > libxfn.so.2 => /usr/lib/libxfn.so.2
> >
> > libresolv.so.2 => /usr/lib/libresolv.so.2
> >
> > libgss.so.1 => /usr/lib/libgss.so.1
> >
> > libgss.so.1 (SUNW_1.2) => (version not found)
> >
> > /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
> >
> >
> >
> > i don't know where to post a bug request for sun's sunsolve
> > patches....anyone know?  once the patch was removed the system works fine.
> > i dont have an idea what the (SUNW_1.2) under libgss.so.1 is?
> >
> >
> >
> > thanks,
> >
> > -matt
> >
> > please remove the _NOSPAM from my email address if you wish to respond to me
> > directly.
> >
> >
> >
> >
> >
> >
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>




More information about the Kerberos mailing list