Kerberos Authentication setup: error in libkrb5.so.3 library
search cancel

Kerberos Authentication setup: error in libkrb5.so.3 library

book

Article ID: 95644

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When we try to validate keytab files using kinit, we get the following
error:

kinit: relocation error: kinit: symbol
krb5_get_init_creds_opt_set_pac_request, version krb5_3_MIT not
defined in file libkrb5.so.3 with link time reference

Please note that kinit is linked to SSO’s libs, due to the
LD_LIBRARY_PATH configuration for smuser

$ ldd $(which kinit) 
linux-vdso.so.1 => (0x00007ffe6adbb000) 
libkadm5srv_mit.so.11 => /lib64/libkadm5srv_mit.so.11 (0x00007fa8d6391000) 
libkdb5.so.8 => /lib64/libkdb5.so.8 (0x00007fa8d617d000) 
libgssrpc.so.4 => /lib64/libgssrpc.so.4 (0x00007fa8d5f5d000) 
libgssapi_krb5.so.2 => /opt/CA/siteminder/lib/libgssapi_krb5.so.2 (0x00007fa8d5d04000) 
libkrb5.so.3 => /opt/CA/siteminder/lib/libkrb5.so.3 (0x00007fa8d5a10000) 
libk5crypto.so.3 => /opt/CA/siteminder/lib/libk5crypto.so.3 (0x00007fa8d57cc000) 
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fa8d55c8000) 
libkrb5support.so.0 => /opt/CA/siteminder/lib/libkrb5support.so.0 (0x00007fa8d53ba000) 
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fa8d51b6000) 
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fa8d4f9d000) 
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fa8d4d75000) 
libdl.so.2 => /lib64/libdl.so.2 (0x00007fa8d4b71000) 
libc.so.6 => /lib64/libc.so.6 (0x00007fa8d47a4000) 
libcom_err.so.3 => /opt/CA/siteminder/lib/libcom_err.so.3 (0x00007fa8d45a0000) 
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa8d4384000) 
/lib64/ld-linux-x86-64.so.2 (0x00005608ca893000) 
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fa8d4121000) 

To solve this error, the only workaround found is to override
LD_LIBRARY_PATH in order to use system libraries

$ export LD_LIBRARY_PATH=/lib64:${LD_LIBRARY_PATH} 

Is that correct? 

Environment

Web Agent 12.52SP1CR06 on Apache 2.4 on RedHat 7

Resolution

  You can modify the LD_LIBRARY_PATH to get the system lib in /lib64
  loaded before Siteminder internal libraries"

  LD_LIBRARY_PATH is set in ca_ps_env.ksh for siteminder
  dependencies. Since Policy Server 12.7 is 64 bit, references in
  LD_LIBRARY_PATH should point to 64bit libraries, jvm included