- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: PAM load_modules: can not open module /usr/lib...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-10-2010 02:21 PM
тАО03-10-2010 02:21 PM
There seems to be a problem with sshd loading libpam_krb5.so.1.
In syslog, I found:
Mar 10 16:21:29 ren sshd[8097]: load_modules: /usr/lib/security/pa20_64/libpam_hpsec.so.1
Mar 10 16:21:29 ren sshd[8097]: load_function: successful load of pam_sm_authenticate
Mar 10 16:21:29 ren sshd[8097]: load_modules: /usr/lib/security/pa20_64/libpam_krb5.so.1
Mar 10 16:21:29 ren sshd[8097]: open_module: /usr/lib/security/pa20_64/libpam_krb5.so.1 failed: Error 0
Mar 10 16:21:29 ren sshd[8097]: load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Mar 10 16:21:29 ren sshd[8097]: pam_authenticate: load_modules failed
Running sshd in debug mode, I noticed:
debug1: PAM: password authentication failed for casl: Shared object load failure
Behavior is the same with sshd from A.05.10.007 and A.05.30.008 (latest).
If I use "login username", I see that libpam_krb5.so.1 *does* load correctly.
This was working briefly, prior to updating the Kerberos Client bits to D.1.6.2.05.
I've also looked at the "tusc" output from sshd, and I can see the open() call succeeding, so I'm guessing there may be some other dependency.
Any suggestions?
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-10-2010 10:11 PM
тАО03-10-2010 10:11 PM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Can you attach the tusc output from a window around the open of libpam_krb5.so.1 for a bunch of lines?
Is sshd a 64 bit app?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-11-2010 07:27 AM
тАО03-11-2010 07:27 AM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Yes, sshd is 64-bit. I also tried the 32-bit version which I found in
/opt/ssh/pa20_32/sbin/sshd
I have not yet tried the other 2 versions, though, which I just discovered. There are 4 versions, each with different magic.
/opt/ssh/PA-RISC1.1/sbin/sshd: PA-RISC1.1 shared executable dynamically linked -not stripped dynamically linked
/opt/ssh/PA-RISC2.0/sbin/sshd: PA-RISC2.0 shared executable dynamically linked -not stripped
/opt/ssh/pa20_32/sbin/sshd: PA-RISC2.0 shared executable dynamically linked
/opt/ssh/pa20_64/sbin/sshd: ELF-64 executable object file - PA-RISC 2.0 (LP64)
Hmm...
A section of the tusc output is attached. I cut from the reading of pam.conf down to the error being written to syslog.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-11-2010 08:55 AM
тАО03-11-2010 08:55 AM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Then that should go with pa20_64/libpam_krb5.so.1.
>A section of the tusc output is attached.
That's missing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-11-2010 09:04 AM
тАО03-11-2010 09:04 AM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Let's try again.
BTW, I tested 32-bit and it seems to be working now. No luck with 64-bit, still.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-11-2010 09:20 AM
тАО03-11-2010 09:20 AM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
It seems to open/mmap it correctly. About the only problems dld could get is missing symbols.
Do you have the correct version of libpam_krb5.so.1?
Do you have the recommended linker patches?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-12-2010 11:05 AM
тАО03-12-2010 11:05 AM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
Yep.
>About the only problems dld could get is missing symbols.
That's what I was thinking, but I'm not sure why I'm not getting a decent error message.
>Do you have the correct version of libpam_krb5.so.1?
I don't see any patches for this. swverify on PAM-Kerberos comes back clean.
>Do you have the recommended linker patches?
PHSS_38134 is installed. I see PHSS_40537 as the latest recommend, but there's little to indicate any related changes in the patch text.
PHCO_38273 for libc, btw.
I switched the link in /opt/ssh/sbin/sshd to point to the 32-bit version instead of the 64-bit version. I think this will be an acceptable workaround.
This server will be out of production in a few months, so I might be able to poke at this some more later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-12-2010 11:54 AM
тАО03-12-2010 11:54 AM
SolutionIf PAM doesn't work hard, it doesn't get any detailed error messages from dld. I.e. it would have to call shl_load(,...|BIND_VERBOSE)
If using dlopen, it would have to call dlerror(3) and print the string.
There might be some environment variables you can export to give more details? From dld.sl(5):
export _HP_DLDOPTS="-warnings"
export DLD_VERBOSE_ERR=true
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2010 07:01 AM
тАО03-15-2010 07:01 AM
Re: PAM load_modules: can not open module /usr/lib/security/pa20_64/libpam_krb5.so.1
With this defined, I received an immediate error:
dld.sl: Invalid dld option '-warnings'
Killed
> export DLD_VERBOSE_ERR=true
This pointed to an undefined reference to "errno" in the sshd output:
debug2: input_userauth_request: try method none
Unsatisfied data symbol 'errno' in load module '/usr/lib/security/pa20_64/libpam_krb5.so.1'.
debug1: PAM: password authentication failed for [user]: Shared object load failure
I haven't researched for a possible patch for this. Running the 32-bit sshd seems to be working out just fine.
Thanks again, Dennis.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-15-2010 10:19 AM
тАО03-15-2010 10:19 AM