PAM / krb5 shared library problems

Douglas E. Engert deengert at anl.gov
Fri Jan 12 10:35:06 EST 2007 


Williams, Jacob A CTR USA 116th (QSS) wrote:
> I built MIT Kerberos 1.5.1 and pam_krb5.so (3.1) on RHEL 3 and I am
> getting the following errors with PAM.  I strongly suspect there is
> something misconfigured on my system that is making the symbols in
> pam_krb5.so not match those in /usr/local/lib/libkrb5.so.3.  I tried
> configuring pam with and without krb5-config (no change).  Any ideas
> what I am doing wrong or how to fix this?  Sorry if this is a little too
> verbose, I just wanted to include the needed information.  It appears
> that the krb5_cc_store_cred symbol referenced in pam is in a different
> namespace than the one in libkrb5.so.
> 
> Any help is greatly appreciated.
> 

Was sshd built with kerberos, and is using a diferent version?
ldd sshd should show this. If so it might load the wrong version.

Does sshd work if you start it with
LD_LIBRARY_PATH=/usr/local/lib
set in the env?

Was pam_krb5 built with a -rpath to /usr/local/lib to it would
look there first for shared libs?

Did you copy your pam_krb5 to /usr/lib/security?
Or did you give the full path in the pam.conf.


> Jan 12 14:28:05 workstation1 sshd[20010]: PAM unable to
> dlopen(/lib/security/$ISA/pam_krb5.so)
> Jan 12 14:28:05 workstation1 sshd[20010]: PAM [dlerror:
> /lib/security/../../lib/security/pam_krb5.so: symbol krb5_cc_store_cred,
> version krb5_3_MIT not defined in file libkrb5.so.3 with link time
> reference]
> Jan 12 14:28:05 workstation1 sshd[20010]: PAM adding faulty module:
> /lib/security/$ISA/pam_krb5.so
> 
> 
> [root at workstation1 local]# nm /lib/security/pam_krb5.so
>          U access@@GLIBC_2.0
> 00007484 A __bss_start
> 000025fc t build_ccache_name
> 00002200 t cache_init
> 00001e60 t call_gmon_start
>          U calloc@@GLIBC_2.0
> 000022d8 t canonicalize_name
>          U chown@@GLIBC_2.1
>          U close@@GLIBC_2.0
> 00007484 b completed.1
> 00002778 t create_session_context
> 0000732c d __CTOR_END__
> 00007328 d __CTOR_LIST__
>          w __cxa_finalize@@GLIBC_2.1.3
> 00004714 t default_boolean
> 00004690 t default_number
> 00004624 t default_string
> 0000474c t default_time
> 00005984 t __do_global_ctors_aux
> 00001e84 t __do_global_dtors_aux
> 00007240 d __dso_handle
> 00007334 d __DTOR_END__
> 00007330 d __DTOR_LIST__
> 00007248 A _DYNAMIC
> 00007484 A _edata
> 0000623c r __EH_FRAME_BEGIN__
> 00007488 A _end
>          U __errno_location@@GLIBC_2.0
>          U error_message@@com_err_3_MIT
>          U fclose@@GLIBC_2.1
>          U fgets@@GLIBC_2.0
>          U fileno@@GLIBC_2.0
> 000059b8 T _fini
>          U fopen@@GLIBC_2.1
> 00001eec t frame_dummy
> 0000623c r __FRAME_END__
>          U free@@GLIBC_2.0
>          U __fxstat@@GLIBC_2.0
>          U getenv@@GLIBC_2.0
> 000020dc t get_krb5ccname
> 00002ee0 t get_new_password
>          U getpid@@GLIBC_2.0
>          U getpwnam@@GLIBC_2.0
> 0000733c A _GLOBAL_OFFSET_TABLE_
>          w __gmon_start__
> 00001998 T _init
> 00007338 d __JCR_END__
> 00007338 d __JCR_LIST__
>          w _Jv_RegisterClasses
> 00003604 t k5login_password_auth
>          U krb5_aname_to_localname@@krb5_3_MIT
>          U krb5_appdefault_boolean@@krb5_3_MIT
>          U krb5_appdefault_string@@krb5_3_MIT
>          U krb5_cc_close@@krb5_3_MIT
>          U krb5_cc_default_name@@krb5_3_MIT
>          U krb5_cc_destroy@@krb5_3_MIT
>          U krb5_cc_end_seq_get@@krb5_3_MIT
>          U krb5_cc_get_name@@krb5_3_MIT
>          U krb5_cc_get_principal@@krb5_3_MIT
>          U krb5_cc_initialize@@krb5_3_MIT
>          U krb5_cc_next_cred@@krb5_3_MIT
>          U krb5_cc_resolve@@krb5_3_MIT
>          U krb5_cc_start_seq_get@@krb5_3_MIT
>          U krb5_cc_store_cred@@krb5_3_MIT
>          U krb5_change_password@@krb5_3_MIT
>          U krb5_free_context@@krb5_3_MIT
>          U krb5_free_cred_contents@@krb5_3_MIT
>          U krb5_free_data_contents@@krb5_3_MIT
>          U krb5_free_principal@@krb5_3_MIT
>          U krb5_get_default_realm@@krb5_3_MIT
>          U krb5_get_init_creds_opt_init@@krb5_3_MIT
>          U krb5_get_init_creds_opt_set_forwardable@@krb5_3_MIT
>          U krb5_get_init_creds_opt_set_renew_life@@krb5_3_MIT
>          U krb5_get_init_creds_opt_set_tkt_life@@krb5_3_MIT
>          U krb5_get_init_creds_password@@krb5_3_MIT
>          U krb5_init_context@@krb5_3_MIT
>          U krb5_kt_resolve@@krb5_3_MIT
>          U krb5_kuserok@@krb5_3_MIT
>          U krb5_parse_name@@krb5_3_MIT
>          U krb5_set_default_realm@@krb5_3_MIT
>          U krb5_string_to_deltat@@krb5_3_MIT
>          U krb5_unparse_name@@krb5_3_MIT
>          U krb5_verify_init_creds@@krb5_3_MIT
>          U krb5_verify_init_creds_opt_init@@krb5_3_MIT
>          U malloc@@GLIBC_2.0
>          U memcpy@@GLIBC_2.0
>          U memset@@GLIBC_2.0
>          U mkstemp@@GLIBC_2.0
> 00007244 d p.0
>          U pam_get_data
>          U pam_getenv
>          U pam_get_item
>          U pam_get_user
> 0000453c T pamk5_args_free
> 000044c8 t pamk5_args_new
> 000047f8 T pamk5_args_parse
> 00005864 T pamk5_authorized
> 00003e1c T pamk5_compat_free_data_contents
> 00003ef0 T pamk5_compat_free_realm
> 00003e40 T pamk5_compat_get_err_text
> 00003e60 T pamk5_compat_set_realm
> 00004164 T pamk5_context_destroy
> 00004054 T pamk5_context_fetch
> 000040a4 T pamk5_context_free
> 00003f38 T pamk5_context_new
> 000052ac T pamk5_conv
> 000041f4 T pamk5_credlist_append
> 00004244 T pamk5_credlist_copy
> 000041a0 T pamk5_credlist_free
> 00004190 T pamk5_credlist_new
> 000042dc T pamk5_credlist_store
> 0000439c T pamk5_debug
> 00004460 T pamk5_debug_krb5
> 00004420 T pamk5_debug_pam
> 00004324 T pamk5_error
> 0000506c T pamk5_get_password
> 00003930 T pamk5_password_auth
> 000053cc T pamk5_prompter_krb5
> 000057d8 T pamk5_should_ignore
>          U pam_putenv
>          U pam_set_data
>          U pam_set_item
> 00001f28 T pam_sm_acct_mgmt
> 000023a4 T pam_sm_authenticate
> 00003218 T pam_sm_chauthtok
> 000034a0 T pam_sm_close_session
> 00003478 T pam_sm_open_session
> 00002908 T pam_sm_setcred
>          U pam_strerror
> 000034cc t parse_name
> 000030a0 t password_change
> 0000359c t set_credential_options
> 0000211c t set_krb5ccname
>          U snprintf@@GLIBC_2.0
>          U sprintf@@GLIBC_2.0
>          U strchr@@GLIBC_2.0
>          U strcmp@@GLIBC_2.0
>          U strcpy@@GLIBC_2.0
>          U __strdup@@GLIBC_2.0
>          U strerror@@GLIBC_2.0
>          U strncat@@GLIBC_2.0
>          U strncpy@@GLIBC_2.0
>          U __strtol_internal@@GLIBC_2.0
>          U syslog@@GLIBC_2.0
>          U vsnprintf@@GLIBC_2.0
> 
> 
> 
> [root at workstation1 local]# ldd -r /lib/security/pam_krb5.so
>         libpam.so.0 => /lib/libpam.so.0 (0x004ae000)
>         libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x00156000)
>         libcom_err.so.3 => /usr/local/lib/libcom_err.so.3 (0x0072d000)
>         libc.so.6 => /lib/tls/libc.so.6 (0x00d9c000)
>         libdl.so.2 => /lib/libdl.so.2 (0x00799000)
>         liblaus.so.1 => /lib/liblaus.so.1 (0x00111000)
>         libk5crypto.so.3 => /usr/local/lib/libk5crypto.so.3 (0x00c4f000)
>         libkrb5support.so.0 => /usr/local/lib/libkrb5support.so.0
> (0x003dc000)
>         libresolv.so.2 => /lib/libresolv.so.2 (0x005d6000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00667000)
> 
> 
> [root at workstation1 local]# nm /usr/local/lib/libkrb5.so.3|grep
> krb5_cc_store
> 000399cc T krb5_cc_store_cred
> 
> Jacob Williams
> Systems Engineer (QSS Group Inc.)
> 116th MI GP; Fort Gordon, GA 
> 706-791-0344    DSN 780-0344
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list