Hi, mj! On Sep 25, mj wrote: > Hi, > > So, much progression, by using the pam debug flags: > > > auth required pam_winbind.so debug > > account required pam_winbind.so debug > > auth required pam_user_map.so debug > > reveiling this in /var/log/debug: > > > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password > > (0x00000001) > > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user > > 'ADuser1' > > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request > > wbcLogonUser succeeded > > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' > > granted access > > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was > > 'ADuser1' > > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: > > 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) > > Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file > > '/etc/security/user_map.conf'. > > Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username > > 'ADuser1'. > > Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 > > groups [group1,group2,group3]. > > Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is > > in group 'group1': YES > > Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as > > 'root' > > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: > > 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) > > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: > > wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND > > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not > > found > > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: > > 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
Thanks, that was very helpful! > So the problem is: I am mapping the login to user "root", which doesn't > exist in AD. > > When mapping to an existing AD user, things started to work. > > Now the remaining 1.000.000$ question, if I may: > > The aim is to map AD users 'into' a local mariadb user. This does not > work, as pam tries to find both the loginuser and the target mapped > user. (see logs above) > > What (probably pam?) config is required to handle the case where we > logon to mysql using AD usernames/passwords, and map/proxy those into a > local mysql username..? Anyone? pam_user_map renames the user in the pam module chain, that is, all following pam modules will see the new name. And because 'account' modules are invoked after 'auth', pam_winbind will see the new name. Do you really have to use account required pam_winbind.so line? I didn't try it myself, but I'd think that using account required pam_permit.so would help. That's what we're using to test MariaDB pam plugin in mysql-test framework. Regards, Sergei Chief Architect MariaDB and [email protected] _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
