maria-discuss team mailing list archive

Thread
Date

Re: pam authentication not working after few hours

To: Fabrizio Gerardi <info@xxxxxxxxxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Tue, 25 Jun 2019 13:50:00 +0200
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <6ba9ddfe-bd26-353c-387e-1f6d3ad030de@fabriziogerardi.it>
User-agent: Mutt/1.10.1 (2018-07-13)

Hi, Fabrizio!

I wrote that *if* it's a concurrency related issue, it's only fixed in
10.4, not in 10.3.16.

Or it could be a new bug that we haven't seen before.

You can try the pam plugin from 10.4.

If it won't help - please report a bug at jira.mariadb.org, but be
prepared that we might ask some questions there when trying to repeat
the problem.

On Jun 25, Fabrizio Gerardi wrote:
> Hi,
> 
> I confirm that release 10.3.16 did not fix this issue.
> I do have multiple concurrent users accessing MariaDB but I have 10 to
> 20 users in total (a fraction of which concurrent).
> This thing is driving me crazy...
> I would even consider a downgrade to 10.2.X if I was sure to fix the
> issue but the problem does not seem to have been recognized at all.
> 
> I am also sure this issue is not related to active directory integration
> as the sssd logs clearly confirm the authentication process succeeded.
> In MariaDB logs I find a line like this: "[Warning] Access denied for
> user 'user@'server_hostname' (using password: NO)"
> 
> Any ideas?
> 
> On 17/06/19 14:13, Sergei Golubchik wrote:
> > Hi, Fabrizio!
> >
> > On Jun 17, Fabrizio Gerardi wrote:
> >> Hi everyone,
> >>
> >> I have problems with mariadb 10.3.15 in a centos 7 environment.
> >>
> >> I configured mariadb to authenticate users via pam module while the
> >> system is a member of an active directory domain.
> >>
> >> Everything works fine except that authentication process stops working
> >> after few hours.
> >>
> >> Please note that only users authenticated via pam are facing this issue.
> >> Local users keep authenticating...
> >>
> >> The moment I restart mariadb service everything works fine again.
> >>
> >> Would you please confirm whether this issue is somewhat related with
> >> others I read will be fixed in next release (10.3.16) or not?
> > No, it doesn't look like something that 10.3.16 would fix.
> > There are no pam-related fixes in 10.3.16.
> >
> > Do you have multiple concurrent users accessing MariaDB?
> >
> > While I've never heard of the authentication process just stopping
> > working or anything related to the active directory pam modules, we
> > did have a case when MariaDB was crashing in some pam module that
> > used hardware tokens. It turned out that that particular pam module
> > was not multi-thread safe. Again, while I haven't heard anything
> > like that for active directory pam module or of that effect
> > (authentication stopping working), it's possible to be caused by the
> > same thing.
> >
> > in 10.4 we've reworked PAM plugin to not rely on the multi-thread
> > safety of OS pam modules.
> >
Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

References

pam authentication not working after few hours
From: Fabrizio Gerardi, 2019-06-17
Re: pam authentication not working after few hours
From: Sergei Golubchik, 2019-06-17
Re: pam authentication not working after few hours
From: Fabrizio Gerardi, 2019-06-25