Informix

nested-group-icon.png

DB2

Expand all | Collapse all

Informix + PAM + AD + CentOS Samba Update Issue

  • 1.  Informix + PAM + AD + CentOS Samba Update Issue

    Posted 30 days ago

    OK, kids, here's an esoteric one for you, which I've recently run across. For years now, we've been using PAM authentication to allow our domain users (in our case, MS Active Directory) to access certain databases with their domain credentials, saving us the trouble of separate account and password management. This has generally worked quite well.

    Two somewhat recent updates to the Samba packages caused problems that you might wish to be aware of, one easily fixed, and one for which I do not yet have a resolution.

    First, the easy one: In /etc/security/pam_winbind.conf, there's a parameter called require_membership_of, which allows us to specify a group or groups that are allowed to access. If this is set, anyone not a member of the listed groups is rejected even if they provide proper credentials. We've used this as a filter. With a recent update (sorry, I forget which), this stopped working. After some internet sleuthing, I figured out that they changed the parameter to require a domain prefix, which was previously not required. I also learned that they didn't update the documentation or release notes accordingly although, to my discredit, I hadn't read them anyway. (The update came in as part of a simple "yum update".) So instead of listing "mygroup" we needed to list "mydomain\mygroup"; implementing that simple fix worked.

    Now, the tough one, which is quite recent: Another "yum update" command updated the Samba family of packages from 4.10.4 to 4.10.16. Following this update, Informix PAM/AD authentication stopped working. Authentication to the database would fail, and I'd see this error in /var/log/secure:

    ```
    Dec 18 15:40:30 myhost oninit: PAM unable to dlopen(/usr/lib64/security/pam_winbind.so): /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.10.16' not found (required by /usr/lib64/security/pam_winbind.so)
    ```

    What's interesting about this is that the behavior seems to be exclusively limited to Informix. PAM-based shell access is granted for AD users so authorized. And PAM-based access to other databases like MariaDB continues to operate as expected, too. Whatever is going on here seems to be unique to Informix.

    I've replicated this behavior in 12.10.FC14 and 14.10.FC4W1.

    I'm trying to get my hands on the intermediate versions of Samba to see exactly where the problem was introduced. But curious if anyone else is running the CentOS + PAM + Informix + AD combination, and could verify the same problem.

    I'm inclined to open a ticket, but I'm not sure they'll have much to go on.



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 2.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted 30 days ago

    Thanks for the warming Tom!

     

    Also nice to hear that Red Hat will stop supporting CentOS ....

     






  • 3.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted 30 days ago

    That's why CentOS Stream is going to be a thing moving forward.



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 4.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted 30 days ago

    [Technically, I don't think Red Hat *ever* supported CentOS. The whole point of CentOS is that it's the truly open-source equivalent of the decidedly non-open-source RedHat]



    ------------------------------
    TOM GIRSCH
    ------------------------------



  • 5.  RE: Informix + PAM + AD + CentOS Samba Update Issue

    Posted 30 days ago

    So, Fedora is the Red Hat sponsored and supported fully open version of RHEL. CentOS is the community managed and supported completely open version of RHEL, though the Centos Project joined Red Hat in 2014, unlike Fedora, it is still managed by the Centos Committee.

    Changes to the RHEL codebase typically start in Fedora releases then migrate to RHEL releases. CentOS may or may not adopt specific features, enhancements, & other changes.



    ------------------------------
    Art S. Kagel, President and Principal Consultant
    ASK Database Management Corp.
    www.askdbmgt.com
    ------------------------------