version krb5support_0_MIT not defined

Jeffrey Hutzelman jhutz at cmu.edu
Sun Feb 19 13:10:37 EST 2012


On Fri, 2012-02-10 at 18:02 -0500, Tom Yu wrote:
> In the long run, there are better ways to overcome the problems you're
> experiencing, but they probably require adding new capabilities to the
> glibc runtime linker:
> 
> * support for RTLD_GROUP

In practice, RTLD_DEEPBIND is usually good enough for this sort of
problem.


> * distinguishing libraries that have the same SONAME but exist as
>   distinct files

I haven't followed this thread closely enough to determine if this is
actually the problem here, but if it is, that's a tricky problem.  The
best answer is to simply not have that happen. :-)

> You are expecting pam_krb5.so to resolve the symbols that it needs
> using the libraries that it would find in its RPATH.  On a Solaris
> system, if sshd had called dlopen() on pam_krb5.so using the
> RTLD_GROUP flag, this would be the case.  On RHEL, using the glibc
> runtime linker as it currently exists, that does not occur, and
> pam_krb5.so will find the versions of the symbols that already exist
> in the address space of the sshd process.

Modulo the duplicate-soname issue, this problem can be resolved using a
wrapper PAM module which opens the wrapped module with RTLD_GROUP (if
available) or RTLD_DEEPBIND.  For an example of such a module, see
/afs/cs.cmu.edu/misc/aaa/src/aaa-head/pam_isolate

-- Jeff



More information about the Kerberos mailing list