maria-discuss team mailing list archive

Thread
Date

Re: sssd with authentication plugin pam

To: Michael Barkdoll <mabarkdoll@xxxxxxxxx>
From: Honza Horak <hhorak@xxxxxxxxxx>
Date: Mon, 2 Aug 2021 19:31:15 +0200
Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=hhorak@xxxxxxxxxx
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAC7iewEX9fw0St_f88x4Lrqw0Fw8i7E2F=kW+j8z7fr5KwLiTw@mail.gmail.com>

Michael, can you share, please, which operating system and builds (upstream
packages or those from the distribution) do you use?

Thanks,
Honza

On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
wrote:

> Hi, I'm having issues getting the pam plugin to work with Rocky Linux 8
> (RHEL 8) with AppStream MariaDB 10.5.  I've installed mariadb appstream for
> 10.5 and mariadb-pam packages.
>
> Added the following to /etc/my.cnf.d:
> [mariadb]
> plugin_load_add = auth_pam
>
> My sssd is joined to Active Directory.  I've created /etc/pam.d/mariadb
> trying both local pam_unix and pam_sss configurations:
> # /etc/pam.d/mariadb for local accounts
> auth required pam_unix.so audit
> account required pam_unix.so audit
>
> # /etc/pam.d/mariadb for sssd active directory accounts
> auth required pam_sss.so
> account required pam_sss.so
>
> Tried creating local accounts with:
> #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb';
> #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam;
> #CREATE USER 'user2'@'%' IDENTIFIED VIA pam;
> #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam;
>
> I've also tried creating AD accounts:
> #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb';
> #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam;
> #CREATE USER 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam USING 'mariadb';
> #GRANT SELECT ON db.* TO 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam;
>
> I see Redhat has issues with MariaDB 10.3 working with pam plugin but it
> sounded like 10.5 should work?
> https://bugzilla.redhat.com/show_bug.cgi?id=1942330
>
> I feel like I'm missing something in my /etc/sssd/sssd.conf file or some
> pam configuration steps.
>
> I'm using authselect with sssd:
> authselect select custom/user-profile with-mkhomedir with-sudo
> with-pamaccess
>
> All attempts to `mysql -u user -p` fail.
>
> MariaDB [(none)]> show plugins;
> | pam                           | ACTIVE   | AUTHENTICATION     |
> auth_pam.so | GPL     |
>
> I tried adding a [pam] section to sssd.
>
> [pam]
> pam_public_domains = all
> pam_verbosity = 3
>
> Didn't seem to help.  I used realmd to join AD.  Any help is much
> appreciated.
>
> mysql -u user -p
> Enter password:
> ERROR 1045 (28000): Access denied for user 'user'@'localhost' (using
> password: NO)
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-02

References

sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-02