← Back to team overview

maria-discuss team mailing list archive

Re: pam authentication not working after few hours



I confirm that release 10.3.16 did not fix this issue.
I do have multiple concurrent users accessing MariaDB but I have 10 to
20 users in total (a fraction of which concurrent).
This thing is driving me crazy...
I would even consider a downgrade to 10.2.X if I was sure to fix the
issue but the problem does not seem to have been recognized at all.

I am also sure this issue is not related to active directory integration
as the sssd logs clearly confirm the authentication process succeeded.
In MariaDB logs I find a line like this: "[Warning] Access denied for
user 'user@'server_hostname' (using password: NO)"

Any ideas?

On 17/06/19 14:13, Sergei Golubchik wrote:
> Hi, Fabrizio!
> On Jun 17, Fabrizio Gerardi wrote:
>> Hi everyone,
>> I have problems with mariadb 10.3.15 in a centos 7 environment.
>> I configured mariadb to authenticate users via pam module while the
>> system is a member of an active directory domain.
>> Everything works fine except that authentication process stops working
>> after few hours.
>> Please note that only users authenticated via pam are facing this issue.
>> Local users keep authenticating...
>> The moment I restart mariadb service everything works fine again.
>> Would you please confirm whether this issue is somewhat related with
>> others I read will be fixed in next release (10.3.16) or not?
> No, it doesn't look like something that 10.3.16 would fix.
> There are no pam-related fixes in 10.3.16.
> Do you have multiple concurrent users accessing MariaDB?
> While I've never heard of the authentication process just stopping
> working or anything related to the active directory pam modules,
> we did have a case when MariaDB was crashing in some pam module that
> used hardware tokens. It turned out that that particular pam module was
> not multi-thread safe. Again, while I haven't heard anything like that
> for active directory pam module or of that effect (authentication
> stopping working), it's possible to be caused by the same thing.
> in 10.4 we've reworked PAM plugin to not rely on the multi-thread safety
> of OS pam modules.
> Regards,
> Sergei
> Chief Architect MariaDB
> and security@xxxxxxxxxxx

Follow ups