Informix

 View Only
Expand all | Collapse all

Informix + PAM + AD + CentOS Samba Update Issue

  • 1.  Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri December 18, 2020 11:20 AM
    Edited by System Fri January 20, 2023 04:22 PM

    OK, kids, here's an esoteric one for you, which I've recently run across. For years now, we've been using PAM authentication to allow our domain users (in our case, MS Active Directory) to access certain databases with their domain credentials, saving us the trouble of separate account and password management. This has generally worked quite well.

    Two somewhat recent updates to the Samba packages caused problems that you might wish to be aware of, one easily fixed, and one for which I do not yet have a resolution.

    First, the easy one: In /etc/security/pam_winbind.conf, there's a parameter called require_membership_of, which allows us to specify a group or groups that are allowed to access. If this is set, anyone not a member of the listed groups is rejected even if they provide proper credentials. We've used this as a filter. With a recent update (sorry, I forget which), this stopped working. After some internet sleuthing, I figured out that they changed the parameter to require a domain prefix, which was previously not required. I also learned that they didn't update the documentation or release notes accordingly although, to my discredit, I hadn't read them anyway. (The update came in as part of a simple "yum update".) So instead of listing "mygroup" we needed to list "mydomain\mygroup"; implementing that simple fix worked.

    Now, the tough one, which is quite recent: Another "yum update" command updated the Samba family of packages from 4.10.4 to 4.10.16. Following this update, Informix PAM/AD authentication stopped working. Authentication to the database would fail, and I'd see this error in /var/log/secure:

    Dec 18 15:40:30 myhost oninit: PAM unable to dlopen(/usr/lib64/security/pam_winbind.so): /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.10.16' not found (required by /usr/lib64/security/pam_winbind.so)


    What's interesting about this is that the behavior seems to be exclusively limited to Informix. PAM-based shell access is granted for AD users so authorized. And PAM-based access to other databases like MariaDB continues to operate as expected, too. Whatever is going on here seems to be unique to Informix.

    I've replicated this behavior in 12.10.FC14 and 14.10.FC4W1.

    I'm trying to get my hands on the intermediate versions of Samba to see exactly where the problem was introduced. But curious if anyone else is running the CentOS + PAM + Informix + AD combination, and could verify the same problem.

    I'm inclined to open a ticket, but I'm not sure they'll have much to go on.



    ------------------------------
    TOM GIRSCH
    ------------------------------


    #Informix


  • 2.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri December 18, 2020 11:28 AM

    Thanks for the warming Tom!

     

    Also nice to hear that Red Hat will stop supporting CentOS ....

     




    Original Message


  • 3.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri December 18, 2020 11:35 AM

    That's why CentOS Stream is going to be a thing moving forward.



    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 4.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri December 18, 2020 11:54 AM

    [Technically, I don't think Red Hat *ever* supported CentOS. The whole point of CentOS is that it's the truly open-source equivalent of the decidedly non-open-source RedHat]



    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 5.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri December 18, 2020 12:06 PM

    So, Fedora is the Red Hat sponsored and supported fully open version of RHEL. CentOS is the community managed and supported completely open version of RHEL, though the Centos Project joined Red Hat in 2014, unlike Fedora, it is still managed by the Centos Committee.

    Changes to the RHEL codebase typically start in Fedora releases then migrate to RHEL releases. CentOS may or may not adopt specific features, enhancements, & other changes.



    ------------------------------
    Art S. Kagel, President and Principal Consultant
    ASK Database Management Corp.
    www.askdbmgt.com
    ------------------------------

    Original Message


  • 6.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 09:48 AM
    I finally got around to opening a ticket on this issue. TS004916372

    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 7.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 10:20 AM
    Interesting.

    Yet, in my understanding, Informix really only uses PAM, but wouldn't own or influence any of it, so having my doubts this anyhow is 'caused' by Informix.

    What differences would exist in (again non-Informix) PAM configuration between shell login access, MariaDB access and Informix access?

    And did you search for libreplace-samba4.so - on your system and elsewhere? This library missing looks to be the most immediate problem.

    ------------------------------
    Andreas Legner
    ------------------------------

    Original Message


  • 8.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri January 29, 2021 10:47 AM

    Yes, tough, could be many things that went wrong, agree with Andreas  - not likely Informix related  ...

    I'd start by looking  at libreplace-samba:

    /bin/ls -l /usr/lib64/samba/libreplace-samba4.so*

    there maybe multiple copies of this library with few versions, and

    readelf -V /usr/lib64/samba/libreplace-samba4.so

    to confirm what is the actual version of the library that pam_winbind.so is trying to load

    Considering that packages had been just updated to 4.10.16 it's not clear why libreplace-samba4.so is not the latest version, at least that's how I understand the error message.

    you can also check with 

    rpm -qf /usr/lib64/samba/libreplace-samba4.so

    that library actually belongs to the package with new version.

    ldd /usr/lib64/security/pam_winbind.so 

    Is likely to give the same error? (version `SAMBA_4.10.16' not found)

    Potential fix (if libreplace-samba4 library is indeed older) would be to make sure it's either updated (yum install  samba-client-libs) or linked to the right library if it's already there.

    That's one direction, another would be to check what "ldconfig" is showing, could be messy too, since you may be picking libraries from unexpected places.

    Keep the group posted on the findings!



    ------------------------------
    Vladimir Kolobrodov
    ------------------------------

    Original Message


  • 9.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 11:18 AM

    See my detailed troubleshoot below. But per your request:

    $ sudo readelf -V /usr/lib64/samba/libreplace-samba4.so

Version symbols section '.gnu.version' contains 42 entries:
 Addr: 0000000000000904  Offset: 0x000904  Link: 3 (.dynsym)
  000:   0 (*local*)       3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  004:   0 (*local*)       3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   4 (GLIBC_2.4)  
  008:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  00c:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   0 (*local*)    
  010:   5 (GLIBC_2.14)    3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  014:   3 (GLIBC_2.2.5)   0 (*local*)       0 (*local*)       3 (GLIBC_2.2.5)
  018:   3 (GLIBC_2.2.5)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)
  01c:   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)
  020:   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)
  024:   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)
  028:   2 (SAMBA_4.10.16)   2 (SAMBA_4.10.16)

Version definition section '.gnu.version_d' contains 2 entries:
  Addr: 0x0000000000000958  Offset: 0x000958  Link: 4 (.dynstr)  000000: Rev: 1  Flags: BASE   Index: 1  Cnt: 1  Name: libreplace-samba4.so
  0x001c: Rev: 1  Flags: none  Index: 2  Cnt: 1  Name: SAMBA_4.10.16
  Version definition past end of section

Version needs section '.gnu.version_r' contains 1 entries:
 Addr: 0x0000000000000990  Offset: 0x000990  Link: 4 (.dynstr)
  000000: Version: 1  File: libc.so.6  Cnt: 3
  0x0010:   Name: GLIBC_2.14  Flags: none  Version: 5
  0x0020:   Name: GLIBC_2.4  Flags: none  Version: 4
  0x0030:   Name: GLIBC_2.2.5  Flags: none  Version: 3

$ rpm -qf /usr/lib64/samba/libreplace-samba4.so
samba-client-libs-4.10.16-9.el7_9.x86_64

$ ldd /usr/lib64/security/pam_winbind.so 
        linux-vdso.so.1 =>  (0x00007fffcf14f000)
        libwbclient.so.0 => /usr/lib64/libwbclient.so.0 (0x00007fe7b24dd000)
        libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so (0x00007fe7b22da000)
        libwinbind-client-samba4.so => /usr/lib64/samba/libwinbind-client-samba4.so (0x00007fe7b20d6000)
        libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007fe7b1ed2000)
        libpam.so.0 => /usr/lib64/libpam.so.0 (0x00007fe7b1cc3000)
        libtalloc.so.2 => /usr/lib64/libtalloc.so.2 (0x00007fe7b1ab4000)
        libcrypt.so.1 => /usr/lib64/libcrypt.so.1 (0x00007fe7b187d000)
        libc.so.6 => /usr/lib64/libc.so.6 (0x00007fe7b14af000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe7b28f8000)
        libaudit.so.1 => /usr/lib64/libaudit.so.1 (0x00007fe7b1286000)
        libfreebl3.so => /usr/lib64/libfreebl3.so (0x00007fe7b1083000)
        libcap-ng.so.0 => /usr/lib64/libcap-ng.so.0 (0x00007fe7b0e7d000)


    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 10.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 11:13 AM

    I can think of no other explanation as to why shell access and MariaDB access would continue to work, but Informix would break. What seems to be happening here is that Informix is reporting the libarary as being missing even though it is not.

    Here's the baseline system:

    $ uname -a
Linux [myhost].aemaine.com 3.10.0-1160.11.1.el7.x86_64 #1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ sudo yum list installed | egrep "samba|winbind|libwb"
libwbclient.x86_64              4.10.4-11.el7_8                @centos7-base    
samba-client-libs.x86_64        4.10.4-11.el7_8                @centos7-base    
samba-common.noarch             4.10.4-11.el7_8                @centos7-base    
samba-common-libs.x86_64        4.10.4-11.el7_8                @centos7-base    
samba-common-tools.x86_64       4.10.4-11.el7_8                @centos7-base    
samba-libs.x86_64               4.10.4-11.el7_8                @centos7-base    
samba-winbind.x86_64            4.10.4-11.el7_8                @centos7-base    
samba-winbind-clients.x86_64    4.10.4-11.el7_8                @centos7-base    
samba-winbind-modules.x86_64    4.10.4-11.el7_8                @centos7-base    
$ ls -la /usr/lib64/samba/libreplace*                      
-rwxr-xr-x. 1 root root 11128 May 12  2020 /usr/lib64/samba/libreplace-samba4.so
$ strings /usr/lib64/samba/libreplace-samba4.so | grep 4.10
SAMBA_4.10.4

[attempt to connect as AD user 'tgirsch' succeeds.]

$ sudo tail -9 /var/log/secure
Jan 29 15:48:22 [myhost] sudo: tgirsch : TTY=pts/1 ; PWD=/home/tgirsch ; USER=root ; COMMAND=/bin/yum list installed
Jan 29 15:48:22 [myhost] sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 29 15:48:22 [myhost] sudo: pam_unix(sudo:session): session closed for user root
Jan 29 15:48:46 [myhost] oninit: pam_unix(ifmx-auth:auth): authentication failure; logname= uid=202 euid=0 tty= ruser=tgirsch rhost=[myhost].aemaine.com  user=tgirsch
Jan 29 15:48:46 [myhost] oninit: pam_winbind(ifmx-auth:auth): getting password (0x00002050)
Jan 29 15:48:46 [myhost] oninit: pam_winbind(ifmx-auth:auth): pam_get_item returned a password
Jan 29 15:48:46 [myhost] oninit: pam_winbind(ifmx-auth:auth): user 'tgirsch' granted access
Jan 29 15:48:54 [myhost] sudo: tgirsch : TTY=pts/1 ; PWD=/home/tgirsch ; USER=root ; COMMAND=/bin/tail -9 /var/log/secure
Jan 29 15:48:54 [myhost] sudo: pam_unix(sudo:session): session opened for user root by (uid=0)


    Everything works as expected.

    Now I run sudo yum -y update samba-winbind, and it updates all the samba-related packages:

    $ uname -a
Linux [myhost].aemaine.com 3.10.0-1160.11.1.el7.x86_64 #1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ sudo yum list installed | egrep "samba|winbind|libwb"
libwbclient.x86_64              4.10.16-9.el7_9                @centos7-base    
samba-client-libs.x86_64        4.10.16-9.el7_9                @centos7-base    
samba-common.noarch             4.10.16-9.el7_9                @centos7-base    
samba-common-libs.x86_64        4.10.16-9.el7_9                @centos7-base    
samba-common-tools.x86_64       4.10.16-9.el7_9                @centos7-base    
samba-libs.x86_64               4.10.16-9.el7_9                @centos7-base    
samba-winbind.x86_64            4.10.16-9.el7_9                @centos7-base    
samba-winbind-clients.x86_64    4.10.16-9.el7_9                @centos7-base    
samba-winbind-modules.x86_64    4.10.16-9.el7_9                @centos7-base    
$ ls -la /usr/lib64/samba/libreplace*
-rwxr-xr-x. 1 root root 11136 Dec 15 16:43 /usr/lib64/samba/libreplace-samba4.so
$ strings /usr/lib64/samba/libreplace-samba4.so | grep 4.10
SAMBA_4.10.16

[attempt to connect as AD user 'tgirsch' fails with error 1809]

$ sudo tail -8 /var/log/secure
Jan 29 15:44:47 [myhost] sudo: tgirsch : TTY=pts/1 ; PWD=/home/tgirsch ; USER=root ; COMMAND=/bin/yum list installed
Jan 29 15:44:47 [myhost] sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 29 15:44:48 [myhost] sudo: pam_unix(sudo:session): session closed for user root
Jan 29 15:45:23 [myhost] oninit: PAM unable to dlopen(/usr/lib64/security/pam_winbind.so): /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.10.16' not found (required by /usr/lib64/security/pam_winbind.so)
Jan 29 15:45:23 [myhost] oninit: PAM adding faulty module: /usr/lib64/security/pam_winbind.so
Jan 29 15:45:23 [myhost] oninit: pam_unix(ifmx-auth:auth): authentication failure; logname= uid=202 euid=0 tty= ruser=tgirsch rhost=[myhost].aemaine.com  user=tgirsch
Jan 29 15:45:34 [myhost] sudo: tgirsch : TTY=pts/1 ; PWD=/home/tgirsch ; USER=root ; COMMAND=/bin/tail -8 /var/log/secure
Jan 29 15:45:34 [myhost] sudo: pam_unix(sudo:session): session opened for user root by (uid=0)


    As you can see, the library file is there, the version is correct, yet oninit returns an "unable to dlopen" error.

    If I run 'yum history undo' to revert back to 4.10.4, everything is fine again.

    Here's the PAM stack I'm using for Informix:

    $ cat /etc/pam.d/ifmx-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

    As a sanity check, here's a MariaDB test to prove the point:

    $ uname -a
Linux [myhost].aemaine.com 3.10.0-1160.11.1.el7.x86_64 #1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ sudo yum list installed | egrep "samba|winbind|libwb"
libwbclient.x86_64              4.10.16-9.el7_9                @centos7-base
samba-client-libs.x86_64        4.10.16-9.el7_9                @centos7-base
samba-common.noarch             4.10.16-9.el7_9                @centos7-base
samba-common-libs.x86_64        4.10.16-9.el7_9                @centos7-base
samba-common-tools.x86_64       4.10.16-9.el7_9                @centos7-base
samba-libs.x86_64               4.10.16-9.el7_9                @centos7-base
samba-winbind.x86_64            4.10.16-9.el7_9                @centos7-base
samba-winbind-clients.x86_64    4.10.16-9.el7_9                @centos7-base
samba-winbind-modules.x86_64    4.10.16-9.el7_9                @centos7-base
$ ls -la /usr/lib64/samba/libreplace*
-rwxr-xr-x 1 root root 11136 Dec 15 16:43 /usr/lib64/samba/libreplace-samba4.so
$ strings /usr/lib64/samba/libreplace* | grep "4.10"
SAMBA_4.10.16
$ mysql -h localhost -u tgirsch -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 22111
Server version: 10.5.8-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> SHOW GRANTS FOR 'tgirsch';
+------------------------------------------------------------------------+
| Grants for tgirsch@%                                                   |
+------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `tgirsch`@`%` IDENTIFIED VIA pam USING 'db-auth' |
| GRANT SELECT ON `supplier`.* TO `tgirsch`@`%`                          |
+------------------------------------------------------------------------+
2 rows in set (0.000 sec)

MariaDB [(none)]> exit
Bye
$ sudo tail -9 /var/log/secure
Jan 29 15:55:34 [myhost] sudo: mariadb : TTY=pts/1 ; PWD=/home/mariadb ; USER=root ; COMMAND=/bin/yum list installed
Jan 29 15:55:34 [myhost] sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 29 15:55:35 [myhost] sudo: pam_unix(sudo:session): session closed for user root
Jan 29 15:55:55 [myhost] mariadbd: pam_unix(db-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost=  user=tgirsch
Jan 29 15:55:55 [myhost] mariadbd: pam_winbind(db-auth:auth): getting password (0x00000050)
Jan 29 15:55:55 [myhost] mariadbd: pam_winbind(db-auth:auth): pam_get_item returned a password
Jan 29 15:55:55 [myhost] mariadbd: pam_winbind(db-auth:auth): user 'tgirsch' granted access
Jan 29 15:56:17 [myhost] sudo: mariadb : TTY=pts/1 ; PWD=/home/mariadb ; USER=root ; COMMAND=/bin/tail -9 /var/log/secure
Jan 29 15:56:17 [myhost] sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
$ cat /etc/pam.d/db-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so


    Identical OS versions, identical Samba versions, identical PAM stacks. Shell login works. MariaDB works. Informix fails.

    If the problem exists external to Informix, I fail to see where or how.



    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 11.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 11:33 AM 
    /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.10.16' not found​

    would indicate access to a file existing in file system didn't succeed or, more precisely, the file can't be seen.
    If the file exists, what other explanation than inability to walk that path down to the file?

    What's going wrong here is dlopen() OS library call, from within another OS library (pam_winbind.so), so really not in Informix' realm, yet of course subject to regular permission checking and maybe other security checks.



    ------------------------------
    Andreas Legner
    ------------------------------

    Original Message


  • 12.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 11:28 AM

    I should note that your initial question, "How could the problem possibly be on the Informix end?" was also my initial question.

    But given the results of my detailed testing below (and the outputs of the commands Vladimir suggested), my question shifted to "how could the problem possibly be anywhere other than Informix?" Shell authentications work fine. Other DBs using the same PAM stack work fine. Informix breaks.



    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 13.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 11:38 AM
    Maybe one difference is: shell authentication is performed by a privileged process (sshd?) while Informix PAM auth conducted by a non-privileged oninit process - had to check this?
    Not sure about MariaDB...

    ------------------------------
    Andreas Legner
    ------------------------------

    Original Message


  • 14.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 12:21 PM

    Recall that oninit runs as setuid root. And there are no restricted permissions anywhere in the directory tree.

    Note, too, that from /var/log/secure, the MariaDB authentication seems to be walking the exact same path, and is working. For what it's worth, the MariaDB process does not run setuid root.

    [The CPU VPs and encrypt VPs -- the latter for at-rest disk encryption -- run as user informix; all other VPs run as root. I believe authentication like this is done by the msc VP, which runs as root.]



    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 15.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri January 29, 2021 12:39 PM

    Yes, setuid could play a role, but then it will be the same with previous version of packages ....

    Bizarre ...

    Unfortunately I don't have environment with PAM to play with, not sure if you would get more info by looking at traces for original / updated package for the Informix VP which runs authentication. 

    strace -fp <pid-of-msc-vp>

    And then try to connect. That would also show full path to objects.

    Asking just in case - you did bounce Informix after updating samba packages ? (sometimes library in memory may be of previous version if it's not released)

    The puzzling thing to me is

    /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.10.16' not found

    when all indications are that library was updated.

    UNIX process sometimes can use cached library image in memory even after it's been deleted / overwritten.



    ------------------------------
    Vladimir Kolobrodov
    ------------------------------

    Original Message


  • 16.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 12:50 PM
    The problem persists even after an engine bounce; in fact, it persists even after a full reboot.

    Also, while the cached library idea could have some merit, I would expect the engine to be looking for 4.10.4 (the version that was in place when the engine was started / the first time it made a PAM call) rather than 4.10.16 (the now-current version). That it's looking for 4.10.16 tells me it recognizes the new version.

    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 17.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri January 29, 2021 01:02 PM

    > I would expect the engine to be looking for 4.10.4

    that would depend which library was "locked" - if top library was not - it'll be loaded fresh and then could try to use dependency still in memory.

    However that's clearly not the case, since after reboot you see same issue.

    Another shot in the dark - can you check settings for "perf_event_paranoid":

    # sysctl kernel.perf_event_paranoid

    If it's "2" - try changing to "1"

    # echo 1 > /proc/sys/kernel/perf_event_paranoid

    or

    # sysctl kernel.perf_event_paranoid=1

    and see if it makes any difference.

    (may affect behavior programs which start as root and then change effective user id to non privileged user)





    ------------------------------
    Vladimir Kolobrodov
    ------------------------------

    Original Message


  • 18.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 01:48 PM

    Vladimir:

    OK, this is really weird. The value was indeed set to 2. I set it to 1 and bounced the engine and the PAM authentication started working as expected. Then I set it back to 2, bounced the engine again, and everything still works. I completely rebooted the system, verified that the value was still 2, and it still  works. Is there perhaps some one-time operation it was choking on that, once it got one success, never choked on again?

    This is fascinating and thoroughly confusing.

    Now I have to try it all again on another host.



    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 19.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri January 29, 2021 02:34 PM
    Yes, weird. Your experience seem to suggest process continuing to use library locked in memory rather than kernel paranoid settings, but I'll be very interested  in your findings about the real cause of this issue.

    ------------------------------
    Vladimir Kolobrodov
    ------------------------------

    Original Message


  • 20.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 03:37 PM
    OK, I need to correct myself on some stuff that I wrote above. Apparently I had some bad ordering (or bad recollections) on my prior tests. I've just tested this in great detail.

    First, perf_event_paranoid was a red herring. It has nothing to do with the issue.

    What I've found is that after the winbind update from 4.10.4 to 4.10.16, PAM/winbind authentications will fail with the dlopen error until the engine is restarted. But once the engine is restarted, PAM/winbind authentications will work again. I've verified this behavior through multiple tests on 12.10.FC12, 12.10.FC14XF and 14.10.FC5.

    But here's what's super interesting to me: We have a few instances that are running 12.10.FC14XO, and on that patch version, no engine restart is necessary. So whatever fixes went into XO (which was built on top of XF) seem to have fixed this issue. And they seem NOT to have made it into the 14.10 source tree.

    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 21.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri January 29, 2021 03:46 PM

    I guess the important thing is - PAM works for you now.

    :-)

    > whatever fixes went into [12.10.FC14] XO (which was built on top of XF) seem to have fixed this issue

    Support probably knows what it was. I'll make a note to myself to follow up at some time.

    Thank's for the tip!



    ------------------------------
    Vladimir Kolobrodov
    ------------------------------

    Original Message


  • 22.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    IBM Champion
    Posted Fri January 29, 2021 04:00 PM
    I at least have a workaround. The main problem is that I have a couple of instances that I can't easily restart. So it looks like I'll have to schedule some maintenance windows. :(

    ------------------------------
    TOM GIRSCH
    ------------------------------

    Original Message


  • 23.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted Fri January 29, 2021 04:07 PM
    Now that the main suspect seems to have been identified - you can check (lsof) if the library (libreplace-samba4.so) is opened by some process before running update, if not - you may not need to restart Informix, only ensure that connections using PAM/AD authentication are not happening during update.

    ------------------------------
    Vladimir Kolobrodov
    ------------------------------

    Original Message