2

I have IBM Informix SE DBMS running on 64-bit RedHat 8.7 Linux. This is a 32-bit product.

It works well for a locally defined user such as Username billd with UID 505. For example they can run dbaccess stores7 sel_order and get the correct results from the IBM Informix demo database supplied with the product.

The system also has sssd running integrated with a Microsoft Active Directory (AD) service. This means that people can also login using their Windows username and credentials. This produces usernames like willaim.donaldson@researchgroup.example.com with UIDs like 507735929

When these AD users run dbaccess stores7 sel_order they get Informix error

25590 - "authentication error".

The help for this error is

This error indicates that an invalid user ID or password was used to
connect to the database server. Redefine a valid user ID and password.

A quick strings check showed that dbaccess contains getpwuid and getpwnam.

I suspect there might be an issue either with one or more of

  • The size of the UID expected by getpwuid() - 505 fits in a int16, 507735929 needs an int32?
  • The length of the user-name (e.g. 32 characters instead of 10 or less)
  • The absence of an entry in /etc/passwd
  • A missing 32-bit library that makes sssd work with 32-bit applications
  • Something else

Can anyone suggest what might be the cause, whether it is unsolvable or what a fix might be?

Update

I compiled 32-bit (gcc -m32) and 64-bit versions of the 25-line whoami.c code from https://stackoverflow.com/q/8953424/477035

With a local user, both 64-bit and 32-bit versions work

With an AD user, the 64-bit program works but the 32-bit program gets an empty result from getpwuid(uid) where uid is from geteuid().

So I suspect this may be the root of the problem - have I missed something and is there anything else I can try?

RedGrittyBrick
  • 3,832
  • 1
  • 17
  • 23
  • The default sssd option in sssd.conf is to truncate the username at the `@` character so the usernames should be much shorter. I don't see any good method that would reduce the range of either usernames or uid's without introducing collisions. Perhaps having additional fields added to the AD entries that fit your requirements and are guaranteed to be unique in the domain? Or a regex for the username that converts your example to `donaldsonw`? – doneal24 May 05 '23 at 15:58
  • FYI, Red Hat has no problems with long user names (256 character limit) or 32-bit uids. `getpwuid` and `getpwnam` will work up to these limits and 32-bit applications can also work here. I expect that your specific product truncates either the username or the password and no changes to the system will fix that. – doneal24 May 05 '23 at 16:06
  • The Informix SE product that you're using is probably more than 15 years old. It is unlikely to be able to cope with all the changes made to authentication systems since it was released. It is likely that it still has an 8-character limit on user names; at best, it will have a 32-character limit, but I don't think that the 'long ID' changes were made to Informix SE. It would have been ported to a much older version of Linux than RHEL 8.7 — likely RHEL 4 or possibly earlier. – Jonathan Leffler May 05 '23 at 17:25

0 Answers0