maria-discuss team mailing list archive

[mj <lists@xxxxxxxxxxxxx>]

Hi all,

I'd like to ask an additional question re the subjectline.

I have setup pam auth with pam_winbind.so on a debian 9 stretch samba 
domain member server, with mariadb 10.1 from the debian repo in 
"pam_use_cleartext_plugin" mode.

I can logon (both ssh and mysql) with domain usernames fine, and the 
system knows group memberships too. (confirmed with "id ADusername") so 
basic functions all seem to work.

Next is using groups for access control. So I tried following this:
https://mariadb.com/resources/blog/configuring-pam-group-mapping-mariadb

In short what I did:
- download the 10.1 plugin
- compile
- copy to /lib/x86_64-linux-gnu/security/
(debian path, different from the howto)
- made /etc/pam.d/mysql look like:
> #%PAM-1.0
> auth      required       pam_winbind.so
> account   required       pam_winbind.so
> auth      required       pam_user_map.so

- skipping the shadow stuff, as I guess it's not needed for winbind/ldap

I have a user1 in AD, member of user1_grp, so for  quick test I created: 
/etc/security/user_map.conf with:

> @user1_grp: root

However, as soon as I add pam_user_map.so to mysql pam file, we're getting:

> root@mariadb:~# mysql -uuser1 -p
> Enter password: 
> Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000000)
> Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): user 'user1' granted access
> Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
> ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: NO)
> root@mariadb:~# 

When I remove pam_user_map.so from pam, logging in works again.

Have been at at for a while now, and could really use some fresh input.

Anyone done this..? On debian stretch? What am I missing..?

Thanks!