maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #06072
Re: sssd with authentication plugin pam
Michael, can you share, please, which operating system and builds (upstream
packages or those from the distribution) do you use?
Thanks,
Honza
On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
wrote:
> Hi, I'm having issues getting the pam plugin to work with Rocky Linux 8
> (RHEL 8) with AppStream MariaDB 10.5. I've installed mariadb appstream for
> 10.5 and mariadb-pam packages.
>
> Added the following to /etc/my.cnf.d:
> [mariadb]
> plugin_load_add = auth_pam
>
> My sssd is joined to Active Directory. I've created /etc/pam.d/mariadb
> trying both local pam_unix and pam_sss configurations:
> # /etc/pam.d/mariadb for local accounts
> auth required pam_unix.so audit
> account required pam_unix.so audit
>
> # /etc/pam.d/mariadb for sssd active directory accounts
> auth required pam_sss.so
> account required pam_sss.so
>
> Tried creating local accounts with:
> #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb';
> #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam;
> #CREATE USER 'user2'@'%' IDENTIFIED VIA pam;
> #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam;
>
> I've also tried creating AD accounts:
> #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb';
> #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam;
> #CREATE USER 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam USING 'mariadb';
> #GRANT SELECT ON db.* TO 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam;
>
> I see Redhat has issues with MariaDB 10.3 working with pam plugin but it
> sounded like 10.5 should work?
> https://bugzilla.redhat.com/show_bug.cgi?id=1942330
>
> I feel like I'm missing something in my /etc/sssd/sssd.conf file or some
> pam configuration steps.
>
> I'm using authselect with sssd:
> authselect select custom/user-profile with-mkhomedir with-sudo
> with-pamaccess
>
> All attempts to `mysql -u user -p` fail.
>
> MariaDB [(none)]> show plugins;
> | pam | ACTIVE | AUTHENTICATION |
> auth_pam.so | GPL |
>
> I tried adding a [pam] section to sssd.
>
> [pam]
> pam_public_domains = all
> pam_verbosity = 3
>
> Didn't seem to help. I used realmd to join AD. Any help is much
> appreciated.
>
> mysql -u user -p
> Enter password:
> ERROR 1045 (28000): Access denied for user 'user'@'localhost' (using
> password: NO)
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help : https://help.launchpad.net/ListHelp
>
Follow ups
References