Bug #60416

segfaults when using pam_ldap for authentication (scalix13?)

Added by Dirk Ahrnke over 2 years ago. Updated 9 months ago.

Status:UpdatedStart date:05/10/2016
Priority:HighDue date:
Assignee:Danny T% Done:
10%
Category:Scalix Server
Target version:13.0
Operation System:Rhel 7
Milestones: Scalix 13.0

Description

Environment: CentOS7.2, scalix-server-12.5.2.14845-1.rhel7.x86_64

steps to reproduce:
- configure OS to use LDAP (e.g. by running authconfig-tui)
- make sure LDAP-connection is valid (e.g. with "getent passwd")
- install required 32-bit libs for pam_ldap

configure pamcheck and/or ual.remote like this:

auth required om_debug
auth required om_om2authid
auth required /lib/security/pam_ldap.so debug user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth
session required om_auth

test with sxpamauth:

# sxpamauth -vvv ahrnke
pam_start_om("pamcheck", "ahrnke")
pam_authenticate()
# echo $?
99
# omshowlog -p 2

SERIOUS ERROR                  Administration(sxpamauth     ) 05.10.16 21:37:35
[OM 10270] Process about to terminate due to error.
Signal (Segmentation Violation) trapped by process 5094
Procedure trace follows:
  -> ul_OpenUL
  -> dr_ACISetDefaultContext
  -> dr_ACIModContextFlags
  <- dr_ACIModContextFlags
  <- dr_ACISetDefaultContext
  <- ul_OpenUL
  -> ul_utGetUserEntryById
  -> dr_ACIModContextFlags
  <- dr_ACIModContextFlags
  -> dr_ACICheckReadPerm
  <- dr_ACICheckReadPerm
  -> dr_ACIModContextFlags
  <- dr_ACIModContextFlags
  <- ul_utGetUserEntryById
  -> ul_CloseUserListIfOpen
  <- ul_CloseUserListIfOpen

SERIOUS ERROR                  Administration(sxpamauth     ) 05.10.16 21:37:35
[OM 10272] BACKTRACE:
/opt/scalix/lib/libom_er.so(er_add_backtrace+0xa1)[0xf7728fb1]
/opt/scalix/lib/libom_er.so(+0x4262)[0xf7729262]
/opt/scalix/lib/libom_er.so(er_DumpProcAndExit+0x1d)[0xf772942d]
[0xf7733400]
/usr/lib/libc.so.6(strchrnul+0x17)[0xf7586397]
/usr/lib/libc.so.6(_IO_vfprintf+0xae)[0xf754975e]
/usr/lib/libc.so.6(vsnprintf+0xb3)[0xf7572ae3]
/opt/scalix/lib/libom_pam.so(pam_vsyslog+0x39)[0xf770c809]
/usr/lib/libpam.so.0(pam_syslog+0x33)[0xf6610d13]
/lib/security/pam_ldap.so(+0xfe1)[0xf6618fe1]
/lib/security/pam_ldap.so(pam_sm_authenticate+0x4c)[0xf661a49c]
/opt/scalix/lib/libom_pam.so(+0x6a07)[0xf7709a07]
/opt/scalix/lib/libom_pam.so(_pam_dispatch+0x1c2)[0xf7709d1e]
/opt/scalix/lib/libom_pam.so(pam_authenticate+0x6f)[0xf770929f]
sxpamauth[0x8048e6b]
sxpamauth[0x8048b95]
/usr/lib/libc.so.6(__libc_start_main+0xf3)[0xf751f943]
sxpamauth[0x8048bfd]

using ual:

[root@scalix tmp]# omlogon -h localhost -u ahrnke

Connected to scalix

Fatal Error: calling ual_recvreply
Error Group: 3  (Network error)
Error Reason: 104
[root@scalix tmp]# echo $?
1
[root@scalix tmp]# omshowlog -p 2

SERIOUS ERROR                  Remote Client (U/I Access    ) 05.10.16 21:40:13
[OM 10270] Process about to terminate due to error.
Signal (Segmentation Violation) trapped by process 5264
Procedure trace follows:
  <- nm_ParseORN
  <- ul_utUnpackUserEnt
  -> ul_CloseUserListIfOpen
  <- ul_CloseUserListIfOpen
  -> ul_OpenUL
  <- ul_OpenUL
  -> ul_utGetUserEntryById
  -> dr_ACIModContextFlags
  <- dr_ACIModContextFlags
  -> dr_ACICheckReadPerm
  <- dr_ACICheckReadPerm
  -> dr_ACIModContextFlags
  <- dr_ACIModContextFlags
  <- ul_utGetUserEntryById
  -> ul_CloseUserListIfOpen
  <- ul_CloseUserListIfOpen
User Name: Dirk Ahrnke / scalix/CN=Ahrnke, Dirk

SERIOUS ERROR                  Remote Client (U/I Access    ) 05.10.16 21:40:13
[OM 10272] BACKTRACE:
/opt/scalix/lib/libom_er.so(er_add_backtrace+0xa1)[0xf772ffb1]
/opt/scalix/lib/libom_er.so(+0x4262)[0xf7730262]
/opt/scalix/lib/libom_er.so(er_DumpProcAndExit+0x1d)[0xf773042d]
[0xf7750400]
/usr/lib/libc.so.6(strchrnul+0x17)[0xf7476397]
/usr/lib/libc.so.6(_IO_vfprintf+0xae)[0xf743975e]
/usr/lib/libc.so.6(vsnprintf+0xb3)[0xf7462ae3]
/opt/scalix/lib/libom_pam.so(pam_vsyslog+0x39)[0xf7099809]
/usr/lib/libpam.so.0(pam_syslog+0x33)[0xf5e01d13]
/lib/security/pam_ldap.so(+0xfe1)[0xf5e09fe1]
/lib/security/pam_ldap.so(pam_sm_authenticate+0x4c)[0xf5e0b49c]
/opt/scalix/lib/libom_pam.so(+0x6a07)[0xf7096a07]
/opt/scalix/lib/libom_pam.so(_pam_dispatch+0x1c2)[0xf7096d1e]
/opt/scalix/lib/libom_pam.so(pam_authenticate+0x6f)[0xf709629f]
/opt/scalix/lib/libom_signon.so(signon_CheckSignon+0xc4)[0xf69f3d2a]
/opt/scalix/lib/libom_signon.so(+0x3876)[0xf69f4876]
/opt/scalix/lib/libom_signon.so(signon_SignOn+0x1e6)[0xf69f4f2d]
/opt/scalix/lib/libom_ual.so(+0xb296f)[0xf767f96f]
/opt/scalix/lib/libom_ual.so(+0xb3c79)[0xf7680c79]
/opt/scalix/lib/libom_ual.so(ual_SignOn+0x8a)[0xf7681c65]
/opt/scalix/lib/libom_ual.so(ual_RecvReply+0x224)[0xf75e296a]
/opt/scalix/lib/libom_ual.so(ual_ProcessCommands+0xe3)[0xf76659c3]
/opt/scalix/bin/ual.remote[0x804e6bb]
/usr/lib/libc.so.6(__libc_start_main+0xf3)[0xf740f943]
User Name: Dirk Ahrnke / scalix/CN=Ahrnke, Dirk

History

#1 Updated by Dirk Ahrnke over 2 years ago

same behaviour after upgrading to scalix-server-12.6.0.14880-1.rhel7.x86_64

NOTE: the same configuration works on CentOS6 using scalix-server-12.6.0.14871-1.rhel6.x86_64

#2 Updated by Danny T over 2 years ago

On suspicion is that the pam source inside scalix server is too old (no proof yet).
Assuming /lib/security/pam_ldap.so comes from nss-pam-ldapd.i686 (Dirk pls confirm).
On Centos6,
Name : nss-pam-ldapd
Arch : i686
Version : 0.7.5
On Centos7,
nss-pam-ldapd-0.8.13-8.el7.i686 : An nsswitch module which uses directory
: servers
Repo : base
Matched from:
Filename : /usr/lib/security/pam_ldap.so

Mean while scalix server source code for pam is 0.73?, where as current version is,
Available Packages
Name : pam
Arch : i686
Version : 1.1.8

I would need time to recreate the setup to investigate, but the NIC demo is taking all my time!

#3 Updated by Dirk Ahrnke over 2 years ago

Yes, I used /lib/security/pam_ldap.so from package nss-pam-ldapd-0.8.13-8.el7.i686

#4 Updated by Danny T over 2 years ago

Copy and paste from email regarding status and findings:

I had another go at setting up ldap authentication and this time I managed to 'reproduce' the problem.
More details will be logged in RM ticket, but long story short, we have a significant task to fix this.
Basically any OS using similar version of nss-pam-ldap as RHEL7 or later are going to be affected.
I will share more findings as I investigate further, and what choices of fix we have got.

Please clarify the requirements regarding Scalix pam work with rhel7 nss-pam-ldapd (either generally or NIC related).
I am not too familiar with pam but I believe Scalix supplies own om_ldap module (with some restrictions according to Dirk).

So far I have spent more than 2 full days finding a suitable solution for rhel7 nss-pam-ldapd but none is obvious or easy so far, so I don't want to spend even more time on it until you comment on this and the following findings:
-a lower version on nss-pam-ldapd from rhel6, if put on rhel7, does work
-Scalix pam source code came from version 0.67, now pam is version 1.13
-Scalix did change the pam source, and reorganised that way it is built inside
-update of Scalix pam to a later version is not as straight forward as it seems

Chris, so technically using Scalix om_ldap or older nss-pam-ldapd modules on rhel7 is not a realistic solution?

Pascal, I was hoping that my 2 days investigation would tell me exactly what to do, but it seems that there are lots of questions and choices and none is clear cut:
-test build of linux pam on rhel7 hits missing 32bit package problem
-test build of linux pam on rhel6 32bit hits missing function problem
-need to modify linux pam to 'comapre & port' scalix code change over
-high risk so also need to keep old pam module for OS that still work with
-pam is notoriously difficult to debug to try and fix old or new pam issue
-guestimate is it will take anything from 1 week up to several weeks

#5 Updated by Danny T over 2 years ago

  • Status changed from New to Answered

I believe Chris has explained this to Dirk and Pascal, thus no fix planned for 12.6.0

#6 Updated by Pascal Lauria over 2 years ago

The dev call was not clear please correct me if I understood you right, we deliver our own PAM and if Quru would have installed our own delivered Pam on Rhel 7 it would work? Or Would it work only on Rhel 6.7 or 6.8? And the issue was that they used the delivered PAM of the Rhel OS.

Quru has downgraded their Rhel Os to 6.8 and it is still not working thus I assume this must be due to them using still the Pam delivered by Rhel instead of the Pam delivered by us?

If that is the case L2Support needs to contact Quru and inform how they can fix their PAM issue as they are stuck!

#7 Updated by Danny T over 2 years ago

@Pascal, please name people (as I cannot tell if you are asking me or someone else).

I don't know about RHEL 6.8 but last time I checked with 6.6 nss-pam-ldap worked.
Same about the Scalix om_ldap module, i.e. I have not checked it on rhel 6.8.
It is quite possible that 6.8 updates nss-pam-ldap to the point it stops working.
If this is now a matter for L2Support to deal with, the RM should be reassigned.

#8 Updated by Pascal Lauria over 2 years ago

  • Assignee changed from ServerDevsGroup to L2SupportGroup

Now I undertand what the issue is:

NSS pam just happens to supply nss-pam-ldap which people use instead of om-ldap and this is the issue with Quru.

If it works also with nss-pam-ldap is not granted. A lot of these kind of features are out of bound for standard build & test, needs QA or SE to try them out

To Support: please inform and check with Quru if they are using nss-pam with om-ldap?

#9 Updated by Pascal Lauria over 2 years ago

  • Assignee changed from L2SupportGroup to Danny T

As discussed with Dirk he believes this is a bug and should be addressed

#10 Updated by Danny T over 2 years ago

This is a very tricky issue to solve and time consuming so no definite target at the moment.

#11 Updated by Danny T over 2 years ago

  • Status changed from Answered to In Progress

There is a multitude of problems when I try to merge Linux-PAM with scalix-pam due to a huge differences in versions (0.73 vs 1.1.1), no real progress despite the time spent.

#12 Updated by Danny T over 2 years ago

There is no chance this can be in 12.6.0, so no point blocking release note.

#13 Updated by Alex I over 2 years ago

  • Target version set to 12.7

moved to 12.7

#14 Updated by Danny T over 2 years ago

  • % Done changed from 0 to 10
  • Status changed from In Progress to Updated

#17 Updated by Danny T 9 months ago

  • Parent task set to #61122
  • Target version changed from 12.7 to 13.0
  • Subject changed from segfaults when using pam_ldap for authentication to segfaults when using pam_ldap for authentication (scalix13?)

Changed target and make it subtask of SercuIM.

Also available in: Atom PDF