Bug ID 1025513: PAM Authenticator can cause authorization failure if it fails to lock /var/log/tallylog

Last Modified: Nov 22, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 16.1.0, 16.1.1, 16.1.2

Opened: Jun 15, 2021
Severity: 3-Major

Symptoms

The following JSON content can be seen in the HTTP 401 response. (By looking at the capture or RESTful client) {"code":401,"message":"Authorization failed: no user authentication header or token detected. Uri:http://localhost:8100/mgmt/tm/ltm/pool/?expandSubcollections=true Referrer:<ip_address> Sender:<ip_address>,"referer":<ip_address>,"restOperationId":12338804,"kind":":resterrorresponse"} Contention for /var/log/tallylog lock might result in users failing to authenticate correctly. As a result of this issue, you might see the following message: PAM Couldn't lock /var/log/pam/tallylog : Resource temporarily unavailable.

Impact

This intermittent auth issue results in failure of some auth request.

Conditions

High concurrent authentication attempts may trigger this issue. For example, opening a connection, using basic authentication, performing a query (for example, get node list, get virtual address list, and set pool min active members), and then closing the connection. If done frequently enough, there is an occasional authentication failure.

Workaround

Since this is an intermittent authentication failure, wait a few seconds and then attempt to rerun auth request. For automation tools, please use token-based authentication.

Fix Information

None

Behavior Change