segfaults when using pam_ldap for authentication (scalix13?)
|Assignee:||Danny T||% Done:|
|Operation System:||Rhel 7|
Environment: CentOS7.2, scalix-server-18.104.22.16845-1.rhel7.x86_64
steps to reproduce:
- configure OS to use LDAP (e.g. by running authconfig-tui)
- make sure LDAP-connection is valid (e.g. with "getent passwd")
- install required 32-bit libs for pam_ldap
configure pamcheck and/or ual.remote like this:
auth required om_debug auth required om_om2authid auth required /lib/security/pam_ldap.so debug user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth session required om_auth
test with sxpamauth:
# sxpamauth -vvv ahrnke pam_start_om("pamcheck", "ahrnke") pam_authenticate() # echo $? 99 # omshowlog -p 2 SERIOUS ERROR Administration(sxpamauth ) 05.10.16 21:37:35 [OM 10270] Process about to terminate due to error. Signal (Segmentation Violation) trapped by process 5094 Procedure trace follows: -> ul_OpenUL -> dr_ACISetDefaultContext -> dr_ACIModContextFlags <- dr_ACIModContextFlags <- dr_ACISetDefaultContext <- ul_OpenUL -> ul_utGetUserEntryById -> dr_ACIModContextFlags <- dr_ACIModContextFlags -> dr_ACICheckReadPerm <- dr_ACICheckReadPerm -> dr_ACIModContextFlags <- dr_ACIModContextFlags <- ul_utGetUserEntryById -> ul_CloseUserListIfOpen <- ul_CloseUserListIfOpen SERIOUS ERROR Administration(sxpamauth ) 05.10.16 21:37:35 [OM 10272] BACKTRACE: /opt/scalix/lib/libom_er.so(er_add_backtrace+0xa1)[0xf7728fb1] /opt/scalix/lib/libom_er.so(+0x4262)[0xf7729262] /opt/scalix/lib/libom_er.so(er_DumpProcAndExit+0x1d)[0xf772942d] [0xf7733400] /usr/lib/libc.so.6(strchrnul+0x17)[0xf7586397] /usr/lib/libc.so.6(_IO_vfprintf+0xae)[0xf754975e] /usr/lib/libc.so.6(vsnprintf+0xb3)[0xf7572ae3] /opt/scalix/lib/libom_pam.so(pam_vsyslog+0x39)[0xf770c809] /usr/lib/libpam.so.0(pam_syslog+0x33)[0xf6610d13] /lib/security/pam_ldap.so(+0xfe1)[0xf6618fe1] /lib/security/pam_ldap.so(pam_sm_authenticate+0x4c)[0xf661a49c] /opt/scalix/lib/libom_pam.so(+0x6a07)[0xf7709a07] /opt/scalix/lib/libom_pam.so(_pam_dispatch+0x1c2)[0xf7709d1e] /opt/scalix/lib/libom_pam.so(pam_authenticate+0x6f)[0xf770929f] sxpamauth[0x8048e6b] sxpamauth[0x8048b95] /usr/lib/libc.so.6(__libc_start_main+0xf3)[0xf751f943] sxpamauth[0x8048bfd]
[root@scalix tmp]# omlogon -h localhost -u ahrnke Connected to scalix Fatal Error: calling ual_recvreply Error Group: 3 (Network error) Error Reason: 104 [root@scalix tmp]# echo $? 1 [root@scalix tmp]# omshowlog -p 2 SERIOUS ERROR Remote Client (U/I Access ) 05.10.16 21:40:13 [OM 10270] Process about to terminate due to error. Signal (Segmentation Violation) trapped by process 5264 Procedure trace follows: <- nm_ParseORN <- ul_utUnpackUserEnt -> ul_CloseUserListIfOpen <- ul_CloseUserListIfOpen -> ul_OpenUL <- ul_OpenUL -> ul_utGetUserEntryById -> dr_ACIModContextFlags <- dr_ACIModContextFlags -> dr_ACICheckReadPerm <- dr_ACICheckReadPerm -> dr_ACIModContextFlags <- dr_ACIModContextFlags <- ul_utGetUserEntryById -> ul_CloseUserListIfOpen <- ul_CloseUserListIfOpen User Name: Dirk Ahrnke / scalix/CN=Ahrnke, Dirk SERIOUS ERROR Remote Client (U/I Access ) 05.10.16 21:40:13 [OM 10272] BACKTRACE: /opt/scalix/lib/libom_er.so(er_add_backtrace+0xa1)[0xf772ffb1] /opt/scalix/lib/libom_er.so(+0x4262)[0xf7730262] /opt/scalix/lib/libom_er.so(er_DumpProcAndExit+0x1d)[0xf773042d] [0xf7750400] /usr/lib/libc.so.6(strchrnul+0x17)[0xf7476397] /usr/lib/libc.so.6(_IO_vfprintf+0xae)[0xf743975e] /usr/lib/libc.so.6(vsnprintf+0xb3)[0xf7462ae3] /opt/scalix/lib/libom_pam.so(pam_vsyslog+0x39)[0xf7099809] /usr/lib/libpam.so.0(pam_syslog+0x33)[0xf5e01d13] /lib/security/pam_ldap.so(+0xfe1)[0xf5e09fe1] /lib/security/pam_ldap.so(pam_sm_authenticate+0x4c)[0xf5e0b49c] /opt/scalix/lib/libom_pam.so(+0x6a07)[0xf7096a07] /opt/scalix/lib/libom_pam.so(_pam_dispatch+0x1c2)[0xf7096d1e] /opt/scalix/lib/libom_pam.so(pam_authenticate+0x6f)[0xf709629f] /opt/scalix/lib/libom_signon.so(signon_CheckSignon+0xc4)[0xf69f3d2a] /opt/scalix/lib/libom_signon.so(+0x3876)[0xf69f4876] /opt/scalix/lib/libom_signon.so(signon_SignOn+0x1e6)[0xf69f4f2d] /opt/scalix/lib/libom_ual.so(+0xb296f)[0xf767f96f] /opt/scalix/lib/libom_ual.so(+0xb3c79)[0xf7680c79] /opt/scalix/lib/libom_ual.so(ual_SignOn+0x8a)[0xf7681c65] /opt/scalix/lib/libom_ual.so(ual_RecvReply+0x224)[0xf75e296a] /opt/scalix/lib/libom_ual.so(ual_ProcessCommands+0xe3)[0xf76659c3] /opt/scalix/bin/ual.remote[0x804e6bb] /usr/lib/libc.so.6(__libc_start_main+0xf3)[0xf740f943] User Name: Dirk Ahrnke / scalix/CN=Ahrnke, Dirk
#2 Updated by Danny T over 2 years ago
On suspicion is that the pam source inside scalix server is too old (no proof yet).
Assuming /lib/security/pam_ldap.so comes from nss-pam-ldapd.i686 (Dirk pls confirm).
Name : nss-pam-ldapd
Arch : i686
Version : 0.7.5
nss-pam-ldapd-0.8.13-8.el7.i686 : An nsswitch module which uses directory
Repo : base
Filename : /usr/lib/security/pam_ldap.so
Mean while scalix server source code for pam is 0.73?, where as current version is,
Name : pam
Arch : i686
Version : 1.1.8
I would need time to recreate the setup to investigate, but the NIC demo is taking all my time!
#4 Updated by Danny T over 2 years ago
Copy and paste from email regarding status and findings:
I had another go at setting up ldap authentication and this time I managed to 'reproduce' the problem.
More details will be logged in RM ticket, but long story short, we have a significant task to fix this.
Basically any OS using similar version of nss-pam-ldap as RHEL7 or later are going to be affected.
I will share more findings as I investigate further, and what choices of fix we have got.
Please clarify the requirements regarding Scalix pam work with rhel7 nss-pam-ldapd (either generally or NIC related).
I am not too familiar with pam but I believe Scalix supplies own om_ldap module (with some restrictions according to Dirk).
So far I have spent more than 2 full days finding a suitable solution for rhel7 nss-pam-ldapd but none is obvious or easy so far, so I don't want to spend even more time on it until you comment on this and the following findings:
-a lower version on nss-pam-ldapd from rhel6, if put on rhel7, does work
-Scalix pam source code came from version 0.67, now pam is version 1.13
-Scalix did change the pam source, and reorganised that way it is built inside
-update of Scalix pam to a later version is not as straight forward as it seems
Chris, so technically using Scalix om_ldap or older nss-pam-ldapd modules on rhel7 is not a realistic solution?
Pascal, I was hoping that my 2 days investigation would tell me exactly what to do, but it seems that there are lots of questions and choices and none is clear cut:
-test build of linux pam on rhel7 hits missing 32bit package problem
-test build of linux pam on rhel6 32bit hits missing function problem
-need to modify linux pam to 'comapre & port' scalix code change over
-high risk so also need to keep old pam module for OS that still work with
-pam is notoriously difficult to debug to try and fix old or new pam issue
-guestimate is it will take anything from 1 week up to several weeks
#6 Updated by Pascal Lauria over 2 years ago
The dev call was not clear please correct me if I understood you right, we deliver our own PAM and if Quru would have installed our own delivered Pam on Rhel 7 it would work? Or Would it work only on Rhel 6.7 or 6.8? And the issue was that they used the delivered PAM of the Rhel OS.
Quru has downgraded their Rhel Os to 6.8 and it is still not working thus I assume this must be due to them using still the Pam delivered by Rhel instead of the Pam delivered by us?
If that is the case L2Support needs to contact Quru and inform how they can fix their PAM issue as they are stuck!
#7 Updated by Danny T over 2 years ago
@Pascal, please name people (as I cannot tell if you are asking me or someone else).
I don't know about RHEL 6.8 but last time I checked with 6.6 nss-pam-ldap worked.
Same about the Scalix om_ldap module, i.e. I have not checked it on rhel 6.8.
It is quite possible that 6.8 updates nss-pam-ldap to the point it stops working.
If this is now a matter for L2Support to deal with, the RM should be reassigned.
#8 Updated by Pascal Lauria over 2 years ago
- Assignee changed from ServerDevsGroup to L2SupportGroup
Now I undertand what the issue is:
NSS pam just happens to supply nss-pam-ldap which people use instead of om-ldap and this is the issue with Quru.
If it works also with nss-pam-ldap is not granted. A lot of these kind of features are out of bound for standard build & test, needs QA or SE to try them out
To Support: please inform and check with Quru if they are using nss-pam with om-ldap?