Hi, Fabrizio! I wrote that *if* it's a concurrency related issue, it's only fixed in 10.4, not in 10.3.16. Or it could be a new bug that we haven't seen before. You can try the pam plugin from 10.4. If it won't help - please report a bug at jira.mariadb.org, but be prepared that we might ask some questions there when trying to repeat the problem. On Jun 25, Fabrizio Gerardi wrote:
Hi,
I confirm that release 10.3.16 did not fix this issue. I do have multiple concurrent users accessing MariaDB but I have 10 to 20 users in total (a fraction of which concurrent). This thing is driving me crazy... I would even consider a downgrade to 10.2.X if I was sure to fix the issue but the problem does not seem to have been recognized at all.
I am also sure this issue is not related to active directory integration as the sssd logs clearly confirm the authentication process succeeded. In MariaDB logs I find a line like this: "[Warning] Access denied for user 'user@'server_hostname' (using password: NO)"
Any ideas?
On 17/06/19 14:13, Sergei Golubchik wrote:
Hi, Fabrizio!
On Jun 17, Fabrizio Gerardi wrote:
Hi everyone,
I have problems with mariadb 10.3.15 in a centos 7 environment.
I configured mariadb to authenticate users via pam module while the system is a member of an active directory domain.
Everything works fine except that authentication process stops working after few hours.
Please note that only users authenticated via pam are facing this issue. Local users keep authenticating...
The moment I restart mariadb service everything works fine again.
Would you please confirm whether this issue is somewhat related with others I read will be fixed in next release (10.3.16) or not? No, it doesn't look like something that 10.3.16 would fix. There are no pam-related fixes in 10.3.16.
Do you have multiple concurrent users accessing MariaDB?
While I've never heard of the authentication process just stopping working or anything related to the active directory pam modules, we did have a case when MariaDB was crashing in some pam module that used hardware tokens. It turned out that that particular pam module was not multi-thread safe. Again, while I haven't heard anything like that for active directory pam module or of that effect (authentication stopping working), it's possible to be caused by the same thing.
in 10.4 we've reworked PAM plugin to not rely on the multi-thread safety of OS pam modules.
Regards, Sergei Chief Architect MariaDB and security@mariadb.org