FYI: Sun Patch breaks Solaris PAM with krb5 enabled
Austin Gonyou
austin at coremetrics.com
Fri Apr 26 17:24:54 EDT 2002
Is there ANY libgss anywhere on the system?
On Fri, 2002-04-26 at 14:26, Matthew E Glogowski wrote:
> hi,
>
> yes i used the built-in sun kerberos package from sun. the permissions
> were correct othe file, the problem is with the programs such as kinit
> trying to reference a libgss.so.1 (SUNW_1.2) version which is not on the
> system.
>
> thanks,
>
> -matt
>
> On Fri, 26 Apr 2002, Wyllys Ingersoll wrote:
>
> >
> > Check the permissions & ownership o /usr/lib/security/pam_krb5.so.1
> > 755 root/bin is the correct PERM UID/GID combination.
> >
> > Also, are you running the pam_krb5 that is distributed with the
> > Solaris (SEAM) kerberos packages or a third party pam_krb5 module?
> >
> > -Wyllys
> >
> >
> >
> > M Glogowski wrote:
> > > i downloaded the sun patch cluster for solaris 8 and after
> > > installatiopn/reboot i could not login to the system.
> > >
> > > the following patch from the April 19th patch cluster breaks
> kerberos5 pam
> > > on solaris 8:
> > >
> > > 112237-03 SunOS 5.8: mech_krb5.so.1 patch
> > >
> > > with this error:
> > >
> > > Apr 24 17:04:02 XXXXXXXXXXXXXX [ID 487707 auth.error] load_modules:
> cannot
> > > open module /usr/lib/security/pam_krb5.so.1
> > >
> > > via your login screen (dtlogin) you may see an error message:
> "Cannot load
> > > PAM modules. Contact your System Administrator"
> > >
> > >
> > >
> > > my pam.conf kerberos:
> > >
> > >
> > > #
> > > # Support for Kerberos V5 authentication (uncomment to use Kerberos)
> > > #
> > > rlogin auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > > try_first_pass debug
> > > login auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > > try_first_pass debug
> > > dtlogin auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > > try_first_pass debug
> > > other auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > > try_first_pass debug
> > > dtlogin account sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> debug
> > > other account sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> debug
> > > other session sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> debug
> > > other password sufficient /usr/lib/security/$ISA/pam_krb5.so.1
> > > try_first_pass debug
> > >
> > >
> > >
> > > performing some checks you will see that it cannot find another
> module:
> > >
> > > root at XXXXXX [root]% ldd /usr/bin/kinit
> > >
> > > mech_krb5.so.1 => /usr/lib/gss/gl/mech_krb5.so.1
> > >
> > > libnsl.so.1 => /usr/lib/libnsl.so.1
> > >
> > > libmp.so.2 => /usr/lib/libmp.so.2
> > >
> > > libc.so.1 => /usr/lib/libc.so.1
> > >
> > > libdl.so.1 => /usr/lib/libdl.so.1
> > >
> > > libresolv.so.2 => /usr/lib/libresolv.so.2
> > >
> > > libintl.so.1 => /usr/lib/libintl.so.1
> > >
> > > libgss.so.1 => /usr/lib/libgss.so.1
> > >
> > > libgss.so.1 (SUNW_1.2) => (version not found)
> > >
> > > libsocket.so.1 => /usr/lib/libsocket.so.1
> > >
> > > libxfn.so.2 => /usr/lib/libxfn.so.2
> > >
> > > /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
> > >
> > > root at XXXXX [root]% ldd /usr/lib/security/pam_krb5.so
> > >
> > > libc.so.1 => /usr/lib/libc.so.1
> > >
> > > libpam.so.1 => /usr/lib/libpam.so.1
> > >
> > > libnsl.so.1 => /usr/lib/libnsl.so.1
> > >
> > > libsocket.so.1 => /usr/lib/libsocket.so.1
> > >
> > > mech_krb5.so.1 => /usr/lib/gss/gl/mech_krb5.so.1
> > >
> > > libkadm5clnt.so.1 => /usr/lib/krb5/libkadm5clnt.so.1
> > >
> > > libmp.so.2 => /usr/lib/libmp.so.2
> > >
> > > libdl.so.1 => /usr/lib/libdl.so.1
> > >
> > > libintl.so.1 => /usr/lib/libintl.so.1
> > >
> > > libxfn.so.2 => /usr/lib/libxfn.so.2
> > >
> > > libresolv.so.2 => /usr/lib/libresolv.so.2
> > >
> > > libgss.so.1 => /usr/lib/libgss.so.1
> > >
> > > libgss.so.1 (SUNW_1.2) => (version not found)
> > >
> > > /usr/platform/SUNW,Ultra-2/lib/libc_psr.so.1
> > >
> > >
> > >
> > > i don't know where to post a bug request for sun's sunsolve
> > > patches....anyone know? once the patch was removed the system works
> fine.
> > > i dont have an idea what the (SUNW_1.2) under libgss.so.1 is?
> > >
> > >
> > >
> > > thanks,
> > >
> > > -matt
> > >
> > > please remove the _NOSPAM from my email address if you wish to
> respond to me
> > > directly.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com
"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20020426/10e00b95/attachment.bin
More information about the Kerberos
mailing list