version krb5support_0_MIT not defined
Jeffrey Hutzelman
jhutz at cmu.edu
Sun Feb 19 13:10:37 EST 2012
On Fri, 2012-02-10 at 18:02 -0500, Tom Yu wrote:
> In the long run, there are better ways to overcome the problems you're
> experiencing, but they probably require adding new capabilities to the
> glibc runtime linker:
>
> * support for RTLD_GROUP
In practice, RTLD_DEEPBIND is usually good enough for this sort of
problem.
> * distinguishing libraries that have the same SONAME but exist as
> distinct files
I haven't followed this thread closely enough to determine if this is
actually the problem here, but if it is, that's a tricky problem. The
best answer is to simply not have that happen. :-)
> You are expecting pam_krb5.so to resolve the symbols that it needs
> using the libraries that it would find in its RPATH. On a Solaris
> system, if sshd had called dlopen() on pam_krb5.so using the
> RTLD_GROUP flag, this would be the case. On RHEL, using the glibc
> runtime linker as it currently exists, that does not occur, and
> pam_krb5.so will find the versions of the symbols that already exist
> in the address space of the sshd process.
Modulo the duplicate-soname issue, this problem can be resolved using a
wrapper PAM module which opens the wrapped module with RTLD_GROUP (if
available) or RTLD_DEEPBIND. For an example of such a module, see
/afs/cs.cmu.edu/misc/aaa/src/aaa-head/pam_isolate
-- Jeff
More information about the Kerberos
mailing list