• how to install pam_krb5_migrate in RHEL/Fedora, NIS-->Kerberos auth

    From Robbie Harwood@21:1/5 to Robert Kudyba on Fri Oct 23 10:47:59 2020
    To: kerberos@mit.edu

    Robert Kudyba <rkudyba@fordham.edu> writes:

    /usr/lib64/security/pam_krb5_migrate.so.1. Got the following errors: /usr/lib64/security/pam_krb5_migrate.so.1): lib kadm5clnt_mit.so.11:
    cannot open shared object file: No such file or directory

    In Fedora, libkad5clnt_mit.so is provided by libkadm5. However, there
    has been a soname bump (to 12).

    Please be aware that neither I (Fedora maintainer) do not support
    external programs using the libkadm5 interfaces, and upstream krb5 does
    not provide stability guarantees for it.

    Thanks,
    --Robbie

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAl+S7R8ACgkQJTL5F2qV pEJMDhAAi7OhmKzAaJLTRULVrWAKaMgskjBKv/z66Q7CSqVkX00N+WjTQdPLKt/G jk04YhhOR+hNDoicZUEUXWiVE+IAFQ3BClFlIKWBH03Bqer8LappD3Ry9mJh4e/j x8GfJ48wcImVtseCXPlC77MytRcVGcr3+QUCHT0TFj8yr4QBFAQGKhPU/MxaWfIP BWzluL3LCCiFE5oydwaigkqp/NmMe5ATdBwxqRdxjO0ZUdSCrs+Lfc7mBh5LYa9R /eQqRiUn/0PFVIPPYT7f5fgRZOFTpPDeM6wORSVVyJcOvEqBtSHXUHZq4KgQ4yIH 2w/HxKmLKP55f5LbBwUqUKdtt5O5QDmoMiO+ULVxuta5s4DMlY1k65jgHeIPyYCl vLfxhmylhItwilpz1b/YiNtANh8tDk51ygkZfH4ahiMTduHGwaJlDYOhXEiC23lf GoAKhVbkFJ/Eal8FhlOLCcGPxCueFYBnTEWlP26BnS8O+y7gpK7l6aW59uXLB8iU YhJNA6S8+Da/bt/vJ6q2pneQ8Ecslj6n2sVIhuhjib3Cwok6Z28w1DvoPvgdNaTu DPuVNdwqRJcU2nToEqVbha751w1rZpNKBVM8+mFwoAphwXRPpcM9zhxqIY5sSKvr aDk/Q37RxpV4Y9klBGisjOTzf6x/f3s9QFW8HvKGBHg2jKoQ1fE=
    =Jeg6
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robert Kudyba@21:1/5 to Robbie Harwood on Fri Oct 23 11:56:25 2020
    Copy: kerberos@mit.edu

    On Fri, Oct 23, 2020 at 10:48 AM Robbie Harwood <rharwood@redhat.com> wrote:
    Robert Kudyba <rkudyba@fordham.edu> writes:

    /usr/lib64/security/pam_krb5_migrate.so.1. Got the following errors: /usr/lib64/security/pam_krb5_migrate.so.1): libkadm5clnt_mit.so.11:
    cannot open shared object file: No such file or directory

    In Fedora, libkad5clnt_mit.so is provided by libkadm5. However, there
    has been a soname bump (to 12).

    OK I see:
    /usr/lib64/libkadm5clnt.so
    /usr/lib64/libkadm5clnt_mit.so
    /usr/lib64/libkadm5clnt_mit.so.12
    /usr/lib64/libkadm5clnt_mit.so.12.0

    Please be aware that neither I (Fedora maintainer) do not support
    external programs using the libkadm5 interfaces, and upstream krb5 does
    not provide stability guarantees for it.

    Sure, I understand. Just testing it at the moment.

    So can I use libkadm5clnt_mit.so.12.0 and reference that in the PAM
    auth stack, wherever I had pam_krb5_migrate? Oracle has a migration
    guide at https://docs.oracle.com/cd/E23824_01/html/821-1456/setup-148.html#faavx
    that I'm trying to follow.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robert Kudyba@21:1/5 to Robbie Harwood on Fri Oct 23 16:05:48 2020
    Copy: kerberos@mit.edu

    So I tried this work around, creating a sym link:
    ln -s /usr/lib64/libkadm5clnt_mit.so.12.0 /usr/lib64/security/pam_krb5_migrate.so.1

    from ssh -vv -K
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure. Minor code may provide more information
    No Kerberos credentials available (default cache: KEYRING:persistent:6105)

    From the ssh logs after restarting sshd:
    sshd: PAM unable to resolve symbol: pam_sm_authenticate
    sshd: PAM unable to resolve symbol: pam_sm_setcred

    Any other suggestions on getting this working?

    On Fri, Oct 23, 2020 at 11:56 AM Robert Kudyba <rkudyba@fordham.edu> wrote:

    On Fri, Oct 23, 2020 at 10:48 AM Robbie Harwood <rharwood@redhat.com> wrote:
    Robert Kudyba <rkudyba@fordham.edu> writes:

    /usr/lib64/security/pam_krb5_migrate.so.1. Got the following errors: /usr/lib64/security/pam_krb5_migrate.so.1): libkadm5clnt_mit.so.11: cannot open shared object file: No such file or directory

    In Fedora, libkad5clnt_mit.so is provided by libkadm5. However, there
    has been a soname bump (to 12).

    OK I see:
    /usr/lib64/libkadm5clnt.so
    /usr/lib64/libkadm5clnt_mit.so
    /usr/lib64/libkadm5clnt_mit.so.12
    /usr/lib64/libkadm5clnt_mit.so.12.0

    Please be aware that neither I (Fedora maintainer) do not support
    external programs using the libkadm5 interfaces, and upstream krb5 does
    not provide stability guarantees for it.

    Sure, I understand. Just testing it at the moment.

    So can I use libkadm5clnt_mit.so.12.0 and reference that in the PAM
    auth stack, wherever I had pam_krb5_migrate? Oracle has a migration
    guide at https://docs.oracle.com/cd/E23824_01/html/821-1456/setup-148.html#faavx
    that I'm trying to follow.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)