On 8/3/21 4:05 AM, Michal Schorm wrote: > Hello, Hello Michal
How are you doing? > > (1) > Since MariaDB 10.4, there is a new version 2 of the PAM plugin, which > has been made default. > Based on your message it looks like you are using the PAMv2 plugin, > which is what I would recommend, though you can check again by: > MariaDB [(none)]> show plugins soname like '%pam%'; > +------+---------------+----------------+----------------+---------+ > | Name | Status | Type | Library | License | > +------+---------------+----------------+----------------+---------+ > | pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL | > | pam | NOT INSTALLED | AUTHENTICATION | auth_pam_v1.so | GPL | > +------+---------------+----------------+----------------+---------+ > > > (2) >> On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <[email protected]> wrote: >>> I see Redhat has issues with MariaDB 10.3 working with pam plugin but it >>> sounded like 10.5 should work? >>> https://bugzilla.redhat.com/show_bug.cgi?id=1942330 > We are not aware of any more issues with the MariaDB PAM plugin at this > moment. > > > (3) > I tried to reproduce your issue on RHEL-8.4.0 with the RPMs from the > mariadb-10.5 module provided by Red Hat. > > The authentication for the local users works out-of-the-box. > I didn't need to use your workaround: >> On Mon, Aug 2, 2021 at 10:07 PM Michael Barkdoll <[email protected]> >> wrote: >>> I was able to get local users working by renaming the /etc/pam.d/mariadb to >>> /etc/pam/d/mysql contents: > > The "... USING 'mariadb';" clause worked as expected for me. > When omitted, the authentication stopped working because I only > specified PAM configuration for the PAM 'mariadb' service, not 'mysql' > service which is the default one used by MariaDB server. > > I haven't tested Active Directory. > > > (4) > I also spotted you are using both: > > CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb'; > GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam; > > My understanding of the upstream documentation: > https://mariadb.com/kb/en/authentication-plugin-pam/#creating-users > is that only one of those lines is needed. > > -- > > Michal > > -- > > Michal Schorm > Software Engineer > Core Services - Databases Team > Red Hat > > -- > > On Mon, Aug 2, 2021 at 11:18 PM Michael Barkdoll <[email protected]> wrote: >> >> Thanks, I used /etc/pam.d/mysql to add a pam_exec.so line as well to try to >> output the environment variables. >> >> # cat /etc/pam.d/mysql >> auth optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh >> auth required pam_sss.so >> account optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh >> account required pam_sss.so >> >> cat /t/pam_log_script.sh >> #!/bin/bash >> echo `env` >> >> # cat /t/pam_output.txt >> *** Mon Aug 2 16:08:15 2021 >> PAM_TYPE=auth PAM_USER=adadmin PWD=/var/lib/mysql SHLVL=1 PAM_SERVICE=mysql >> _=/usr/bin/env >> *** Mon Aug 2 16:08:15 2021 >> PAM_TYPE=account PAM_USER=adadmin PWD=/var/lib/mysql >> KRB5CCNAME=FILE:/tmp/krb5cc_1767884463_WAaH4K SHLVL=1 PAM_SERVICE=mysql >> _=/usr/bin/env >> >> Also, I turned on rsyslogd and I see the following in /var/log/secure: >> Aug 2 16:08:15 server auth_pam_tool[63628]: pam_sss(mysql:auth): >> authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=adadmin >> Aug 2 16:08:15 server auth_pam_tool[63628]: pam_sss(mysql:account): Access >> denied for user adadmin: 6 (Permission denied) >> >> On Mon, Aug 2, 2021 at 3:49 PM Honza Horak <[email protected]> wrote: >>> >>> Sharing with folks maintaining the RPMs on the RHEL side, Michal and Lukas, >>> whether it looks familiar by any chance. You're right that the pam module >>> should work fine with 10.5, the BZ you referenced was only related to 10.3. >>> The theory that it might be something wrong with the sssd rather than >>> mariadb-pam looks probable to me, but I'm not an expert on that front. >>> >>> Honza >>> >>> On Mon, Aug 2, 2021 at 10:07 PM Michael Barkdoll <[email protected]> >>> wrote: >>>> >>>> Sorry, I wasn't replying to the listserv initially. Complete list of >>>> packages available here: >>>> https://pastebin.com/raw/Ux8sac73 >>>> >>>> Operating System is Rocky linux 8.4 should be 100% binary compatible with >>>> Redhat 8.4. >>>> I used mariadb AppStream 10.5 for the install with maria-pam 10.5.9 as >>>> well. I will confirm the same on Redhat 8.4. >>>> >>>> Update: >>>> I was able to get local users working by renaming the /etc/pam.d/mariadb >>>> to /etc/pam/d/mysql contents: >>>> auth required pam_unix.so audit >>>> account required pam_unix.so audit >>>> >>>> However, I still can't get AD user accounts to work even with the >>>> pam_sss.so -- I was able to confirm pam is working changing >>>> /etc/pam.d/mysql to: >>>> auth required pam_permit.so audit >>>> account required pam_permit.so audit >>>> >>>> But, then no authentication is taking place. I think the issue must be >>>> with sssd's pam_sss.so. >>>> >>>> I tried increasing the verbosity of the sssd logs. >>>> https://pastebin.com/raw/FsJv4DYR >>>> https://pastebin.com/raw/2TKhYygT >>>> >>>> Not sure if there is anything useful in there. >>>> >>>> On Mon, Aug 2, 2021 at 12:31 PM Honza Horak <[email protected]> wrote: >>>>> >>>>> Michael, can you share, please, which operating system and builds >>>>> (upstream packages or those from the distribution) do you use? >>>>> >>>>> Thanks, >>>>> Honza >>>>> >>>>> On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <[email protected]> >>>>> wrote: >>>>>> >>>>>> Hi, I'm having issues getting the pam plugin to work with Rocky Linux 8 >>>>>> (RHEL 8) with AppStream MariaDB 10.5. I've installed mariadb appstream >>>>>> for 10.5 and mariadb-pam packages. >>>>>> >>>>>> Added the following to /etc/my.cnf.d: >>>>>> [mariadb] >>>>>> plugin_load_add = auth_pam >>>>>> >>>>>> My sssd is joined to Active Directory. I've created /etc/pam.d/mariadb >>>>>> trying both local pam_unix and pam_sss configurations: >>>>>> # /etc/pam.d/mariadb for local accounts >>>>>> auth required pam_unix.so audit >>>>>> account required pam_unix.so audit >>>>>> >>>>>> # /etc/pam.d/mariadb for sssd active directory accounts >>>>>> auth required pam_sss.so >>>>>> account required pam_sss.so >>>>>> >>>>>> Tried creating local accounts with: >>>>>> #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb'; >>>>>> #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam; >>>>>> #CREATE USER 'user2'@'%' IDENTIFIED VIA pam; >>>>>> #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam; >>>>>> >>>>>> I've also tried creating AD accounts: >>>>>> #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb'; >>>>>> #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam; >>>>>> #CREATE USER '[email protected]'@'%' IDENTIFIED VIA pam USING 'mariadb'; >>>>>> #GRANT SELECT ON db.* TO '[email protected]'@'%' IDENTIFIED VIA pam; >>>>>> >>>>>> I see Redhat has issues with MariaDB 10.3 working with pam plugin but it >>>>>> sounded like 10.5 should work? >>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1942330 >>>>>> >>>>>> I feel like I'm missing something in my /etc/sssd/sssd.conf file or some >>>>>> pam configuration steps. >>>>>> >>>>>> I'm using authselect with sssd: >>>>>> authselect select custom/user-profile with-mkhomedir with-sudo >>>>>> with-pamaccess >>>>>> >>>>>> All attempts to `mysql -u user -p` fail. >>>>>> >>>>>> MariaDB [(none)]> show plugins; >>>>>> | pam | ACTIVE | AUTHENTICATION | >>>>>> auth_pam.so | GPL | >>>>>> >>>>>> I tried adding a [pam] section to sssd. >>>>>> >>>>>> [pam] >>>>>> pam_public_domains = all >>>>>> pam_verbosity = 3 >>>>>> >>>>>> Didn't seem to help. I used realmd to join AD. Any help is much >>>>>> appreciated. >>>>>> >>>>>> mysql -u user -p >>>>>> Enter password: >>>>>> ERROR 1045 (28000): Access denied for user 'user'@'localhost' (using >>>>>> password: NO) >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: https://launchpad.net/~maria-discuss >>>>>> Post to : [email protected] >>>>>> Unsubscribe : https://launchpad.net/~maria-discuss >>>>>> More help : https://help.launchpad.net/ListHelp > > > _______________________________________________ > Mailing list: https://launchpad.net/~maria-discuss > Post to : [email protected] > Unsubscribe : https://launchpad.net/~maria-discuss > More help : https://help.launchpad.net/ListHelp > -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013 _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
