[38825] in Kerberos

home help back first fref pref prev next nref lref last post

Re: how to install pam_krb5_migrate in RHEL/Fedora,

daemon@ATHENA.MIT.EDU (Robert Kudyba)
Fri Oct 23 16:09:02 2020

MIME-Version: 1.0
In-Reply-To: <CAFHi+KTb_G5dWf4rg-a=6rx-S-VmTrqAt6sLP-je05KG2LZoVg@mail.gmail.com>
From: Robert Kudyba <rkudyba@fordham.edu>
Date: Fri, 23 Oct 2020 16:05:48 -0400
Message-ID: <CAFHi+KQgDYoyOtR516WyXJR1aY0yXvzzYpD_J_+4+CC5Xajpgg@mail.gmail.com>
To: Robbie Harwood <rharwood@redhat.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

So I tried this work around, creating a sym link:
ln -s /usr/lib64/libkadm5clnt_mit.so.12.0
/usr/lib64/security/pam_krb5_migrate.so.1

from ssh -vv -K
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No Kerberos credentials available (default cache: KEYRING:persistent:6105)

>From the ssh logs after restarting sshd:
sshd: PAM unable to resolve symbol: pam_sm_authenticate
sshd: PAM unable to resolve symbol: pam_sm_setcred

Any other suggestions on getting this working?

On Fri, Oct 23, 2020 at 11:56 AM Robert Kudyba <rkudyba@fordham.edu> wrote:
>
> On Fri, Oct 23, 2020 at 10:48 AM Robbie Harwood <rharwood@redhat.com> wrote:
> > Robert Kudyba <rkudyba@fordham.edu> writes:
> >
> > > /usr/lib64/security/pam_krb5_migrate.so.1. Got the following errors:
> > > /usr/lib64/security/pam_krb5_migrate.so.1): libkadm5clnt_mit.so.11:
> > > cannot open shared object file: No such file or directory
> >
> > In Fedora, libkad5clnt_mit.so is provided by libkadm5.  However, there
> > has been a soname bump (to 12).
>
> OK I see:
> /usr/lib64/libkadm5clnt.so
> /usr/lib64/libkadm5clnt_mit.so
> /usr/lib64/libkadm5clnt_mit.so.12
> /usr/lib64/libkadm5clnt_mit.so.12.0
>
> > Please be aware that neither I (Fedora maintainer) do not support
> > external programs using the libkadm5 interfaces, and upstream krb5 does
> > not provide stability guarantees for it.
>
> Sure, I understand. Just testing it at the moment.
>
> So can I use libkadm5clnt_mit.so.12.0 and reference that in the PAM
> auth stack, wherever I had pam_krb5_migrate? Oracle has a migration
> guide at https://docs.oracle.com/cd/E23824_01/html/821-1456/setup-148.html#faavx
> that I'm trying to follow.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post