AnsweredAssumed Answered

Kerberos relocation error:  krb5_get_init_creds_opt_set_fast_ccache_name

Question asked by Richard Faust Employee on Aug 22, 2017
Latest reply on Aug 23, 2017 by Richard Faust

Ref:  https://access.redhat.com/discussions/1986323

The referenced article references a similar problem, but the specific relocation error is a bit different:  symbol krb5_get_init_creds_opt_alloc.  The article touches on the fact that the output of the 'ldd' command for Kerberos commands references shared object that are in the path of the web agent rather than all shared objects being in /lib64.  The article ends inconclusively and no solution is presented.

 

I'm setting up a proof-of-concept for a customer in a lab environment.  On the Linux CentOS 7.3 server where I want to host the authentication scheme with an Apache 2.2.27 web server and SiteMinder web agent, there are multiple references to shared objects being in the webagent path rather than lib64:

[root@avid-cfv142 etc]# ldconfig -p|grep krb5
        libndr-krb5pac.so.0 (libc6,x86-64) => /lib64/libndr-krb5pac.so.0
        libkrb5support.so.0 (libc6,x86-64) => /tools/smwa/125/webagent/bin/libkrb5support.so.0
        libkrb5support.so.0 (libc6,x86-64) => /lib64/libkrb5support.so.0
        libkrb5.so.3 (libc6,x86-64) => /tools/smwa/125/webagent/bin/libkrb5.so.3
        libkrb5.so.3 (libc6,x86-64) => /lib64/libkrb5.so.3
        libgssapi_krb5.so.2 (libc6,x86-64) => /tools/smwa/125/webagent/bin/libgssapi_krb5.so.2
        libgssapi_krb5.so.2 (libc6,x86-64) => /lib64/libgssapi_krb5.so.2
[root@avid-cfv142 etc]# ldd /usr/bin/net | grep krb5
        libkrb5samba-samba4.so => /usr/lib64/samba/libkrb5samba-samba4.so (0x00007f4096c6d000)
        libndr-krb5pac.so.0 => /lib64/libndr-krb5pac.so.0 (0x00007f40961a5000)
        libkrb5.so.3 => /tools/smwa/125/webagent/bin/libkrb5.so.3 (0x00007f4093ef1000)
        libgssapi_krb5.so.2 => /tools/smwa/125/webagent/bin/libgssapi_krb5.so.2 (0x00007f409358f000)
        libauthkrb5-samba4.so => /usr/lib64/samba/libauthkrb5-samba4.so (0x00007f408e4a3000)
        libkrb5support.so.0 => /tools/smwa/125/webagent/bin/libkrb5support.so.0 (0x00007f408cc2e000)
[root@avid-cfv142 etc]#  ldd /usr/bin/klist | grep krb5
        libkrb5.so.3 => /tools/smwa/125/webagent/bin/libkrb5.so.3 (0x00007ffade5e9000)
        libkrb5support.so.0 => /tools/smwa/125/webagent/bin/libkrb5support.so.0 (0x00007ffade1b6000)
[root@avid-cfv142 etc]#  ldd /usr/bin/kinit | grep krb5
        libgssapi_krb5.so.2 => /tools/smwa/125/webagent/bin/libgssapi_krb5.so.2 (0x00007f8961c86000)
        libkrb5.so.3 => /tools/smwa/125/webagent/bin/libkrb5.so.3 (0x00007f8961aff000)
        libkrb5support.so.0 => /tools/smwa/125/webagent/bin/libkrb5support.so.0 (0x00007f89616cc000)
[root@avid-cfv142 etc]#

 

Anyone know how to steer around the relocation errors such as the one below being thrown by Kerberos commands?

[webadmin@avid-cfv142 krb5]$ kinit some_account
kinit: relocation error: kinit: symbol krb5_get_init_creds_opt_set_fast_ccache_name, version krb5_3_MIT not defined in file libkrb5.so.3 with link time reference
[webadmin@avid-cfv142 krb5]$

 

These are the Kerberos environment variables in effect:

[webadmin@avid-cfv142 krb5]$ env | grep -i krb
KRB5RCACHE=none
KRB5_TRACE=/home/webadmin/krb5/logs/krbtrace.log
KRB5RCACHETYPE=none
PWD=/home/webadmin/krb5
KRB5_CONFIG=/home/webadmin/krb5/krb5.conf
KRB5CCNAME=/home/webadmin/krb5/cache/krb5cc
[webadmin@avid-cfv142 krb5]$

Outcomes