OK, kids, here's an esoteric one for you, which I've recently run across. For years now, we've been using PAM authentication to allow our domain users (in our case, MS Active Directory) to access certain databases with their domain credentials, saving us the trouble of separate account and password management. This has generally worked quite well.
Two somewhat recent updates to the Samba packages caused problems that you might wish to be aware of, one easily fixed, and one for which I do not yet have a resolution.
First, the easy one: In /etc/security/pam_winbind.conf, there's a parameter called require_membership_of, which allows us to specify a group or groups that are allowed to access. If this is set, anyone not a member of the listed groups is rejected even if they provide proper credentials. We've used this as a filter. With a recent update (sorry, I forget which), this stopped working. After some internet sleuthing, I figured out that they changed the parameter to require a domain prefix, which was previously not required. I also learned that they didn't update the documentation or release notes accordingly although, to my discredit, I hadn't read them anyway. (The update came in as part of a simple "yum update".) So instead of listing "mygroup" we needed to list "mydomain\mygroup"; implementing that simple fix worked.
Now, the tough one, which is quite recent: Another "yum update" command updated the Samba family of packages from 4.10.4 to 4.10.16. Following this update, Informix PAM/AD authentication stopped working. Authentication to the database would fail, and I'd see this error in /var/log/secure:
```
Dec 18 15:40:30 myhost oninit: PAM unable to dlopen(/usr/lib64/security/pam_winbind.so): /usr/lib64/samba/libreplace-samba4.so: version `SAMBA_4.10.16' not found (required by /usr/lib64/security/pam_winbind.so)
```
What's interesting about this is that the behavior seems to be exclusively limited to Informix. PAM-based shell access is granted for AD users so authorized. And PAM-based access to other databases like MariaDB continues to operate as expected, too. Whatever is going on here seems to be unique to Informix.
I've replicated this behavior in 12.10.FC14 and 14.10.FC4W1.
I'm trying to get my hands on the intermediate versions of Samba to see exactly where the problem was introduced. But curious if anyone else is running the CentOS + PAM + Informix + AD combination, and could verify the same problem.
I'm inclined to open a ticket, but I'm not sure they'll have much to go on.
------------------------------
TOM GIRSCH
------------------------------