Password Management and Windows Local Password Checkout doesn't work with SLES 12 SP4+

  • 7024313
  • 04-Dec-2019
  • 05-Dec-2019

Environment

Privileged Account Manager 3.7
Privileged Account Manager 3.6

Situation

Password Management and Windows Local Password Checkout doesn't work with SLES 12 SP4+ with all the latest patch updates.

Resolution

To resolve this issue, the workaround is to manually downgrade the version of krb5 to the supported one (kbr5-1.12.5-40.28.2.x86_64):
  1. Check the installed version of krb after SLES 12 SP4 has been updated fully from SLES channel:
    linux-96qt:~ # rpm -qf /usr/lib64/libkrb5.so.3.3
    krb5-1.12.5-40.37.7.x86_64


  2. List the added repositories:
    linux-96qt:~ # zypper lr
    Repository priorities are without effect. All enabled repositories share the same priority.

    # | Alias                                                                   | Name                         | Enabled | GPG Check | Refresh
    --+-------------------------------------------------------------------------+------------------------------+---------+-----------+--------
    1 | SLES12-SP4-12.4-0                                                       | SLES12-SP4-12.4-0            | Yes     | (r ) Yes  | No
    2 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Debuginfo-Pool    | SLES12-SP4-Debuginfo-Pool    | No      | ----      | ----
    3 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Debuginfo-Updates | SLES12-SP4-Debuginfo-Updates | No      | ----      | ----
    4 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Pool              | SLES12-SP4-Pool              | Yes     | (r ) Yes  | No
    5 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Source-Pool       | SLES12-SP4-Source-Pool       | No      | ----      | ----
    6 | SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Updates           | SLES12-SP4-Updates           | Yes     | (r ) Yes  | Yes


  3. Check the version of krb5 in the specific repository (SLES 12 SP4 Pool):
    linux-96qt:~ # zypper pa -ir SUSE_Linux_Enterprise_Server_12_SP4_x86_64:SLES12-SP4-Pool |grep krb5
    v  | SLES12-SP4-Pool | krb5                                       | 1.12.5-40.28.2                     | x86_64
    v  | SLES12-SP4-Pool | krb5-32bit                                 | 1.12.5-40.28.2                     | x86_64
    v  | SLES12-SP4-Pool | libndr-krb5pac0                            | 4.6.16+git.124.aee309c5c18-3.32.1  | x86_64
    v  | SLES12-SP4-Pool | libndr-krb5pac0-32bit                      | 4.6.16+git.124.aee309c5c18-3.32.1  | x86_64


  4. Downgrade the krb5 package to a supported version:
    linux-96qt:~ # zypper in --oldpackage krb5=1.12.5-40.28.2

  5. Verify the version after the downgrade:
    linux-96qt:~ # rpm -qf /usr/lib64/libkrb5.so.3.3
    krb5-1.12.5-40.28.2.x86_64


  6. Additionally, please verify the presence of gssntlmssp library:
    sles12sp4-sanjeev:/usr/lib64 # ls -la /usr/lib64/gssntlmssp/gssntlmssp.so
    lrwxrwxrwx 1 root root 65 Dec  3 20:25 /usr/lib64/gssntlmssp/gssntlmssp.so -> /opt/netiq/npum/service/local/taskmanager/framework/gssntlmssp.so


Cause

A new version of the krb5 binary included by the SLES 12 SP4 doesn't work with the Linux Powershell module, which is used by PAM for Password Management (Task Manager module).

Status

Reported to Engineering