← Back to team overview

maria-discuss team mailing list archive

Re: pam / ldap auth


Hi all,

I'd like to ask an additional question re the subjectline.

I have setup pam auth with pam_winbind.so on a debian 9 stretch samba domain member server, with mariadb 10.1 from the debian repo in "pam_use_cleartext_plugin" mode.

I can logon (both ssh and mysql) with domain usernames fine, and the system knows group memberships too. (confirmed with "id ADusername") so basic functions all seem to work.

Next is using groups for access control. So I tried following this:

In short what I did:
- download the 10.1 plugin
- compile
- copy to /lib/x86_64-linux-gnu/security/
(debian path, different from the howto)
- made /etc/pam.d/mysql look like:
auth      required       pam_winbind.so
account   required       pam_winbind.so
auth      required       pam_user_map.so

- skipping the shadow stuff, as I guess it's not needed for winbind/ldap

I have a user1 in AD, member of user1_grp, so for quick test I created: /etc/security/user_map.conf with:

> @user1_grp: root

However, as soon as I add pam_user_map.so to mysql pam file, we're getting:

root@mariadb:~# mysql -uuser1 -p
Enter password: Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000000)
Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): user 'user1' granted access
Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: NO)

When I remove pam_user_map.so from pam, logging in works again.

Have been at at for a while now, and could really use some fresh input.

Anyone done this..? On debian stretch? What am I missing..?


Follow ups