maria-discuss team mailing list archive

Thread
Date

Re: pam authentication not working after few hours

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: Fabrizio Gerardi <info@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Jun 2019 12:20:37 +0200
In-reply-to: <20190617121321.GA7222@pweza.fritz.box>
Openpgp: preference=signencrypt
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2

Hi,

I confirm that release 10.3.16 did not fix this issue.
I do have multiple concurrent users accessing MariaDB but I have 10 to
20 users in total (a fraction of which concurrent).
This thing is driving me crazy...
I would even consider a downgrade to 10.2.X if I was sure to fix the
issue but the problem does not seem to have been recognized at all.

I am also sure this issue is not related to active directory integration
as the sssd logs clearly confirm the authentication process succeeded.
In MariaDB logs I find a line like this: "[Warning] Access denied for
user 'user@'server_hostname' (using password: NO)"

Any ideas?



On 17/06/19 14:13, Sergei Golubchik wrote:
> Hi, Fabrizio!
>
> On Jun 17, Fabrizio Gerardi wrote:
>> Hi everyone,
>>
>> I have problems with mariadb 10.3.15 in a centos 7 environment.
>>
>> I configured mariadb to authenticate users via pam module while the
>> system is a member of an active directory domain.
>>
>> Everything works fine except that authentication process stops working
>> after few hours.
>>
>> Please note that only users authenticated via pam are facing this issue.
>> Local users keep authenticating...
>>
>> The moment I restart mariadb service everything works fine again.
>>
>> Would you please confirm whether this issue is somewhat related with
>> others I read will be fixed in next release (10.3.16) or not?
> No, it doesn't look like something that 10.3.16 would fix.
> There are no pam-related fixes in 10.3.16.
>
> Do you have multiple concurrent users accessing MariaDB?
>
> While I've never heard of the authentication process just stopping
> working or anything related to the active directory pam modules,
> we did have a case when MariaDB was crashing in some pam module that
> used hardware tokens. It turned out that that particular pam module was
> not multi-thread safe. Again, while I haven't heard anything like that
> for active directory pam module or of that effect (authentication
> stopping working), it's possible to be caused by the same thing.
>
> in 10.4 we've reworked PAM plugin to not rely on the multi-thread safety
> of OS pam modules.
>
> Regards,
> Sergei
> Chief Architect MariaDB
> and security@xxxxxxxxxxx
>

Follow ups

Re: pam authentication not working after few hours
From: Sergei Golubchik, 2019-06-25

References

pam authentication not working after few hours
From: Fabrizio Gerardi, 2019-06-17
Re: pam authentication not working after few hours
From: Sergei Golubchik, 2019-06-17