maria-discuss team mailing list archive

[Michael Barkdoll <mabarkdoll@xxxxxxxxx>]

Sorry, I wasn't replying to the listserv initially.  Complete list of
packages available here:
https://pastebin.com/raw/Ux8sac73

Operating System is Rocky linux 8.4 should be 100% binary compatible with
Redhat 8.4.
I used mariadb AppStream 10.5 for the install with maria-pam 10.5.9 as
well.  I will confirm the same on Redhat 8.4.

Update:
I was able to get local users working by renaming the /etc/pam.d/mariadb to
/etc/pam/d/mysql contents:
auth required pam_unix.so audit
account required pam_unix.so audit

However, I still can't get AD user accounts to work even with the
pam_sss.so --  I was able to confirm pam is working changing
/etc/pam.d/mysql to:
auth required pam_permit.so audit
account required pam_permit.so audit

But, then no authentication is taking place.  I think the issue must be
with sssd's pam_sss.so.

I tried increasing the verbosity of the sssd logs.
https://pastebin.com/raw/FsJv4DYR
https://pastebin.com/raw/2TKhYygT

Not sure if there is anything useful in there.

On Mon, Aug 2, 2021 at 12:31 PM Honza Horak <hhorak@xxxxxxxxxx> wrote:

> Michael, can you share, please, which operating system and builds
> (upstream packages or those from the distribution) do you use?
>
> Thanks,
> Honza
>
> On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
> wrote:
>
>> Hi, I'm having issues getting the pam plugin to work with Rocky Linux 8
>> (RHEL 8) with AppStream MariaDB 10.5.  I've installed mariadb appstream for
>> 10.5 and mariadb-pam packages.
>>
>> Added the following to /etc/my.cnf.d:
>> [mariadb]
>> plugin_load_add = auth_pam
>>
>> My sssd is joined to Active Directory.  I've created /etc/pam.d/mariadb
>> trying both local pam_unix and pam_sss configurations:
>> # /etc/pam.d/mariadb for local accounts
>> auth required pam_unix.so audit
>> account required pam_unix.so audit
>>
>> # /etc/pam.d/mariadb for sssd active directory accounts
>> auth required pam_sss.so
>> account required pam_sss.so
>>
>> Tried creating local accounts with:
>> #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb';
>> #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam;
>> #CREATE USER 'user2'@'%' IDENTIFIED VIA pam;
>> #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam;
>>
>> I've also tried creating AD accounts:
>> #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb';
>> #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam;
>> #CREATE USER 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam USING 'mariadb';
>> #GRANT SELECT ON db.* TO 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam;
>>
>> I see Redhat has issues with MariaDB 10.3 working with pam plugin but it
>> sounded like 10.5 should work?
>> https://bugzilla.redhat.com/show_bug.cgi?id=1942330
>>
>> I feel like I'm missing something in my /etc/sssd/sssd.conf file or some
>> pam configuration steps.
>>
>> I'm using authselect with sssd:
>> authselect select custom/user-profile with-mkhomedir with-sudo
>> with-pamaccess
>>
>> All attempts to `mysql -u user -p` fail.
>>
>> MariaDB [(none)]> show plugins;
>> | pam                           | ACTIVE   | AUTHENTICATION     |
>> auth_pam.so | GPL     |
>>
>> I tried adding a [pam] section to sssd.
>>
>> [pam]
>> pam_public_domains = all
>> pam_verbosity = 3
>>
>> Didn't seem to help.  I used realmd to join AD.  Any help is much
>> appreciated.
>>
>> mysql -u user -p
>> Enter password:
>> ERROR 1045 (28000): Access denied for user 'user'@'localhost' (using
>> password: NO)
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~maria-discuss
>> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~maria-discuss
>> More help   : https://help.launchpad.net/ListHelp
>>
>