maria-discuss team mailing list archive
Mailing list archive
Re: pam / ldap auth
I'd like to ask an additional question re the subjectline.
I have setup pam auth with pam_winbind.so on a debian 9 stretch samba
domain member server, with mariadb 10.1 from the debian repo in
I can logon (both ssh and mysql) with domain usernames fine, and the
system knows group memberships too. (confirmed with "id ADusername") so
basic functions all seem to work.
Next is using groups for access control. So I tried following this:
In short what I did:
- download the 10.1 plugin
- copy to /lib/x86_64-linux-gnu/security/
(debian path, different from the howto)
- made /etc/pam.d/mysql look like:
auth required pam_winbind.so
account required pam_winbind.so
auth required pam_user_map.so
- skipping the shadow stuff, as I guess it's not needed for winbind/ldap
I have a user1 in AD, member of user1_grp, so for quick test I created:
> @user1_grp: root
However, as soon as I add pam_user_map.so to mysql pam file, we're getting:
root@mariadb:~# mysql -uuser1 -p
Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000000)
Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): user 'user1' granted access
Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: NO)
When I remove pam_user_map.so from pam, logging in works again.
Have been at at for a while now, and could really use some fresh input.
Anyone done this..? On debian stretch? What am I missing..?