maria-discuss team mailing list archive

Thread
Date

Re: pam / ldap auth

To: mj <lists@xxxxxxxxxxxxx>
From: Sergei Golubchik <serg@xxxxxxxxxxx>
Date: Tue, 25 Sep 2018 12:56:09 +0200
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <86bbd302-4823-79c6-14d5-9e43dfd02e2a@merit.unu.edu>
User-agent: Mutt/1.7.2 (2016-11-26)

Hi, mj!

On Sep 25, mj wrote:
> Hi,
> 
> So, much progression, by using the pam debug flags:
> 
> > auth      required       pam_winbind.so debug
> > account   required       pam_winbind.so debug
> > auth      required       pam_user_map.so debug
> 
> reveiling this in /var/log/debug:
> 
> > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001)
> > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1'
> > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded
> > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access
> > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1'
> > Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
> > Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'.
> > Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'.
> > Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 groups [group1,group2,group3].
> > Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES
> > Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root'
> > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000)
> > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND
> > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found
> > Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)

Thanks, that was very helpful!

> So the problem is: I am mapping the login to user "root", which doesn't 
> exist in AD.
> 
> When mapping to an existing AD user, things started to work.
> 
> Now the remaining 1.000.000$ question, if I may:
> 
> The aim is to map AD users 'into' a local mariadb user. This does not 
> work, as pam tries to find both the loginuser and the target mapped 
> user. (see logs above)
> 
> What (probably pam?) config is required to handle the case where we 
> logon to mysql using AD usernames/passwords, and map/proxy those into a 
> local mysql username..? Anyone?

pam_user_map renames the user in the pam module chain, that is, all
following pam modules will see the new name. And because 'account'
modules are invoked after 'auth', pam_winbind will see the new name.

Do you really have to use

 account required pam_winbind.so

line? I didn't try it myself, but I'd think that using

 account required pam_permit.so

would help. That's what we're using to test MariaDB pam plugin
in mysql-test framework.

Regards,
Sergei
Chief Architect MariaDB
and security@xxxxxxxxxxx

Follow ups

Re: pam / ldap auth
From: mj, 2018-09-25

References

pam / ldap auth
From: mourik jan c heupink, 2018-09-11
Re: pam / ldap auth
From: Sergei Golubchik, 2018-09-11
Re: pam / ldap auth
From: mj, 2018-09-24
Re: pam / ldap auth
From: mj, 2018-09-25