maria-discuss team mailing list archive

Thread
Date

Re: pam / ldap auth

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: mj <lists@xxxxxxxxxxxxx>
Date: Tue, 25 Sep 2018 11:49:17 +0200
In-reply-to: <c64b442d-27c4-44e2-1542-7d73fb3f6e93@merit.unu.edu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

Hi,

So, much progression, by using the pam debug flags:

auth      required       pam_winbind.so debug
account   required       pam_winbind.so debug
auth      required       pam_user_map.so debug


reveiling this in /var/log/debug:

Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] ENTER: pam_sm_authenticate (flags: 0x0000)
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001)
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1'
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1'
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'.
Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'.
Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 38 groups [group1Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] ENTER: pam_sm_authenticate (flags: 0x0000)
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001)
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1'
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1'
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'.
Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'.
Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 groups [group1,group2,group3].
Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES
Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root'
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
ERROR 1045 (28000): Access denied for user 'ADuser1'@'localhost' (using password: NO)].
Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES
Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root'
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found
Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
ERROR 1045 (28000): Access denied for user 'ADuser1'@'localhost' (using password: NO)

So the problem is: I am mapping the login to user "root", which doesn'texist in AD.


When mapping to an existing AD user, things started to work.

Now the remaining 1.000.000$ question, if I may:

The aim is to map AD users 'into' a local mariadb user. This does notwork, as pam tries to find both the loginuser and the target mappeduser. (see logs above)

What (probably pam?) config is required to handle the case where welogon to mysql using AD usernames/passwords, and map/proxy those into alocal mysql username..? Anyone?

MJ

Follow ups

Re: pam / ldap auth
From: Sergei Golubchik, 2018-09-25

References

pam / ldap auth
From: mourik jan c heupink, 2018-09-11
Re: pam / ldap auth
From: Sergei Golubchik, 2018-09-11
Re: pam / ldap auth
From: mj, 2018-09-24