Thanks, I used /etc/pam.d/mysql to add a pam_exec.so line as well to try to output the environment variables.
# cat /etc/pam.d/mysql auth optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh auth required pam_sss.so account optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh account required pam_sss.so cat /t/pam_log_script.sh #!/bin/bash echo `env` # cat /t/pam_output.txt *** Mon Aug 2 16:08:15 2021 PAM_TYPE=auth PAM_USER=adadmin PWD=/var/lib/mysql SHLVL=1 PAM_SERVICE=mysql _=/usr/bin/env *** Mon Aug 2 16:08:15 2021 PAM_TYPE=account PAM_USER=adadmin PWD=/var/lib/mysql KRB5CCNAME=FILE:/tmp/krb5cc_1767884463_WAaH4K SHLVL=1 PAM_SERVICE=mysql _=/usr/bin/env Also, I turned on rsyslogd and I see the following in /var/log/secure: Aug 2 16:08:15 server auth_pam_tool[63628]: pam_sss(mysql:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=adadmin Aug 2 16:08:15 server auth_pam_tool[63628]: pam_sss(mysql:account): Access denied for user adadmin: 6 (Permission denied) On Mon, Aug 2, 2021 at 3:49 PM Honza Horak <[email protected]> wrote: > Sharing with folks maintaining the RPMs on the RHEL side, Michal and > Lukas, whether it looks familiar by any chance. You're right that the pam > module should work fine with 10.5, the BZ you referenced was only related > to 10.3. The theory that it might be something wrong with the sssd rather > than mariadb-pam looks probable to me, but I'm not an expert on that front. > > Honza > > On Mon, Aug 2, 2021 at 10:07 PM Michael Barkdoll <[email protected]> > wrote: > >> Sorry, I wasn't replying to the listserv initially. Complete list of >> packages available here: >> https://pastebin.com/raw/Ux8sac73 >> >> Operating System is Rocky linux 8.4 should be 100% binary compatible with >> Redhat 8.4. >> I used mariadb AppStream 10.5 for the install with maria-pam 10.5.9 as >> well. I will confirm the same on Redhat 8.4. >> >> Update: >> I was able to get local users working by renaming the /etc/pam.d/mariadb >> to /etc/pam/d/mysql contents: >> auth required pam_unix.so audit >> account required pam_unix.so audit >> >> However, I still can't get AD user accounts to work even with the >> pam_sss.so -- I was able to confirm pam is working changing >> /etc/pam.d/mysql to: >> auth required pam_permit.so audit >> account required pam_permit.so audit >> >> But, then no authentication is taking place. I think the issue must be >> with sssd's pam_sss.so. >> >> I tried increasing the verbosity of the sssd logs. >> https://pastebin.com/raw/FsJv4DYR >> https://pastebin.com/raw/2TKhYygT >> >> Not sure if there is anything useful in there. >> >> On Mon, Aug 2, 2021 at 12:31 PM Honza Horak <[email protected]> wrote: >> >>> Michael, can you share, please, which operating system and builds >>> (upstream packages or those from the distribution) do you use? >>> >>> Thanks, >>> Honza >>> >>> On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <[email protected]> >>> wrote: >>> >>>> Hi, I'm having issues getting the pam plugin to work with Rocky Linux 8 >>>> (RHEL 8) with AppStream MariaDB 10.5. I've installed mariadb appstream for >>>> 10.5 and mariadb-pam packages. >>>> >>>> Added the following to /etc/my.cnf.d: >>>> [mariadb] >>>> plugin_load_add = auth_pam >>>> >>>> My sssd is joined to Active Directory. I've created /etc/pam.d/mariadb >>>> trying both local pam_unix and pam_sss configurations: >>>> # /etc/pam.d/mariadb for local accounts >>>> auth required pam_unix.so audit >>>> account required pam_unix.so audit >>>> >>>> # /etc/pam.d/mariadb for sssd active directory accounts >>>> auth required pam_sss.so >>>> account required pam_sss.so >>>> >>>> Tried creating local accounts with: >>>> #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb'; >>>> #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam; >>>> #CREATE USER 'user2'@'%' IDENTIFIED VIA pam; >>>> #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam; >>>> >>>> I've also tried creating AD accounts: >>>> #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb'; >>>> #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam; >>>> #CREATE USER '[email protected]'@'%' IDENTIFIED VIA pam USING >>>> 'mariadb'; >>>> #GRANT SELECT ON db.* TO '[email protected]'@'%' IDENTIFIED VIA pam; >>>> >>>> I see Redhat has issues with MariaDB 10.3 working with pam plugin but >>>> it sounded like 10.5 should work? >>>> https://bugzilla.redhat.com/show_bug.cgi?id=1942330 >>>> >>>> I feel like I'm missing something in my /etc/sssd/sssd.conf file or >>>> some pam configuration steps. >>>> >>>> I'm using authselect with sssd: >>>> authselect select custom/user-profile with-mkhomedir with-sudo >>>> with-pamaccess >>>> >>>> All attempts to `mysql -u user -p` fail. >>>> >>>> MariaDB [(none)]> show plugins; >>>> | pam | ACTIVE | AUTHENTICATION | >>>> auth_pam.so | GPL | >>>> >>>> I tried adding a [pam] section to sssd. >>>> >>>> [pam] >>>> pam_public_domains = all >>>> pam_verbosity = 3 >>>> >>>> Didn't seem to help. I used realmd to join AD. Any help is much >>>> appreciated. >>>> >>>> mysql -u user -p >>>> Enter password: >>>> ERROR 1045 (28000): Access denied for user 'user'@'localhost' (using >>>> password: NO) >>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~maria-discuss >>>> Post to : [email protected] >>>> Unsubscribe : https://launchpad.net/~maria-discuss >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
