Symantec Access Management

Tech Tip : CA Single Sign-On : Kerberos Authentication setup: error in libkrb5.so.3 library

  • 1.  Tech Tip : CA Single Sign-On : Kerberos Authentication setup: error in libkrb5.so.3 library

    Posted 05-14-2018 03:28 AM

    Issue:


    When we try to validate keytab files using kinit, we get the following
    error:

     

    kinit: relocation error: kinit: symbol

    krb5_get_init_creds_opt_set_pac_request, version krb5_3_MIT not
    defined in file libkrb5.so.3 with link time reference

    Please note that kinit is linked to SSO’s libs, due to the
    LD_LIBRARY_PATH configuration for smuser

     

     

    $ ldd $(which kinit)
    linux-vdso.so.1 => (0x00007ffe6adbb000)
    libkadm5srv_mit.so.11 => /lib64/libkadm5srv_mit.so.11 (0x00007fa8d6391000)
    libkdb5.so.8 => /lib64/libkdb5.so.8 (0x00007fa8d617d000)
    libgssrpc.so.4 => /lib64/libgssrpc.so.4 (0x00007fa8d5f5d000)
    libgssapi_krb5.so.2 => /opt/CA/siteminder/lib/libgssapi_krb5.so.2 (0x00007fa8d5d04000)
    libkrb5.so.3 => /opt/CA/siteminder/lib/libkrb5.so.3 (0x00007fa8d5a10000)
    libk5crypto.so.3 => /opt/CA/siteminder/lib/libk5crypto.so.3 (0x00007fa8d57cc000)
    libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fa8d55c8000)
    libkrb5support.so.0 => /opt/CA/siteminder/lib/libkrb5support.so.0 (0x00007fa8d53ba000)
    libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fa8d51b6000)
    libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fa8d4f9d000)
    libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fa8d4d75000)
    libdl.so.2 => /lib64/libdl.so.2 (0x00007fa8d4b71000)
    libc.so.6 => /lib64/libc.so.6 (0x00007fa8d47a4000)
    libcom_err.so.3 => /opt/CA/siteminder/lib/libcom_err.so.3 (0x00007fa8d45a0000)
    libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa8d4384000)
    /lib64/ld-linux-x86-64.so.2 (0x00005608ca893000)
    libpcre.so.1 => /lib64/libpcre.so.1 (0x00007fa8d4121000)

     

    To solve this error, the only workaround found is to override
    LD_LIBRARY_PATH in order to use system libraries

    $ export LD_LIBRARY_PATH=/lib64:${LD_LIBRARY_PATH}

     

    Is that correct?

     

    Environment:

     

    Web Agent 12.52SP1CR06 on Apache 2.4 on RedHat 7

     

    Resolution:

     

    You can modify the LD_LIBRARY_PATH to get the system lib in /lib64
    loaded before Siteminder internal libraries"

     

    LD_LIBRARY_PATH is set in ca_ps_env.ksh for siteminder
    dependencies. Since Policy Server 12.7 is 64 bit, references in

    LD_LIBRARY_PATH should point to 64bit libraries, jvm included

     

     

    KB : KB000095644