maria-discuss team mailing list archive

Thread
Date
Re: sssd with authentication plugin pam

To: Michal Schorm <mschorm@xxxxxxxxxx>
From: Michael Barkdoll <mabarkdoll@xxxxxxxxx>
Date: Tue, 3 Aug 2021 09:39:41 -0500
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CAC7iewG7rFX0TRG7-DDxBVp2bKmVSw1_NRmXrf_3PyCfbY1a5Q@mail.gmail.com>
I removed sections [mysql] and [mariadb] from sssd.conf since sssctl
config-check didn't want them there.  AD authentication issue is still
present.



On Tue, Aug 3, 2021 at 9:15 AM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
wrote:

> Here is my sssd.conf as well in case some customization in it is somehow
> causing issues though I don't think it should be causing any issues:
>
>
> # cat /etc/sssd/sssd.conf
> [sssd]
> debug_level = 9
> domains = domain.college.edu
> config_file_version = 2
> services = nss, pam
> #default_domain_suffix = AD.SIU.EDU
> #domain_resolution_order = LOCAL, AD.SIU.EDU
> domain_resolution_order = implicit_files, DOMAIN.COLLEGE.EDU
>
> [domain/domain.college.edu]
> ad_domain = domain.domain.edu
> krb5_realm = DOMAIN.COLLEGE.EDU
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
>
> use_fully_qualified_names = False
>
> override_homedir = /home/%u
> fallback_homedir = /home/%u
> access_provider = ad
> ad_access_filter = (|(memberOf=CN=CS Current Users,OU=Groups,DC=domain,DC
> =college,DC=edu)(memberOf=CN=CS Domain Admins,OU=Groups,DC=domain,DC
> =college,DC=edu))
>
> subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
> ignore_group_members = True
>
> krb5_lifetime = 7h
> krb5_renewable_lifetime = 7d
> krb5_renew_interval = 60s
>
> dyndns_update = true
> dyndns_refresh_interval = 60
> dyndns_update_ptr = true
> dyndns_ttl = 60
>
> debug_level = 9
> dyndns_iface = eth0
> dyndns_server = 192.168.1.1
>
> ad_hostname = mariadb.domain.college.edu
>
> [pam]
> pam_public_domains = all
> pam_verbosity = 9
>
> [mysql]
> debug_level = 9
>
> [mariadb]
> debug_level = 9
>
>
>
> On Tue, Aug 3, 2021 at 9:08 AM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
> wrote:
>
>> Hi Michal,
>>
>> Yes, I'm using version 2 of the PAM plugin.
>>
>> MariaDB [(none)]> show plugins soname like '%pam%';
>> +------+---------------+----------------+----------------+---------+
>> | Name | Status        | Type           | Library        | License |
>> +------+---------------+----------------+----------------+---------+
>> | pam  | ACTIVE        | AUTHENTICATION | auth_pam.so    | GPL     |
>> | pam  | NOT INSTALLED | AUTHENTICATION | auth_pam_v1.so | GPL     |
>> +------+---------------+----------------+----------------+---------+
>>
>> Concerning (3), I was able to use /etc/pam.d/mariadb this morning instead
>> of /etc/pam.d/mysql.  The only modifications that I've made that I see
>> currently are what you noted in point (4) to only using CREATE USER since
>> SQL_MODE has NO_AUTO_CREATE_USER.
>>
>> MariaDB [(none)]> SELECT @@SQL_MODE, @@GLOBAL.SQL_MODE;
>>
>> +-------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+
>> | @@SQL_MODE
>>                    | @@GLOBAL.SQL_MODE
>>                                     |
>>
>> +-------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+
>> |
>> STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
>> |
>> STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
>> |
>>
>> +-------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+
>>
>>
>> I've updated the user creation to only use (4):
>> CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb';
>>
>> Unix auth appears to work the same as your configuration now using
>> pam_unix in /etc/pam.d/mariadb.  However, AD is not working when I change
>> /etc/pam.d/mariadb to:
>> auth optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh
>> auth required pam_sss.so
>> account optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh
>> account required pam_sss.so
>>
>> MariaDB [(none)]> DROP USER adadmin;
>> Query OK, 0 rows affected (0.037 sec)
>> MariaDB [(none)]> CREATE USER 'adadmin'@'%' IDENTIFIED VIA pam USING
>> 'mariadb';
>> Query OK, 0 rows affected (0.024 sec)
>>
>> # tail -f /t/pam_output.txt
>> *** Tue Aug  3 08:56:05 2021
>> PAM_TYPE=auth PAM_USER=adadmin PWD=/var/lib/mysql SHLVL=1
>> PAM_SERVICE=mariadb _=/usr/bin/env
>> *** Tue Aug  3 08:56:06 2021
>> PAM_TYPE=account PAM_USER=adadmin PWD=/var/lib/mysql
>> KRB5CCNAME=FILE:/tmp/krb5cc_1767884463_WAaH4K SHLVL=1 PAM_SERVICE=mariadb
>> _=/usr/bin/env
>>
>> # tail -f /var/log/secure
>> Aug  3 08:56:06 cs-dbserv auth_pam_tool[76893]: pam_sss(mariadb:auth):
>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
>> user=adadmin
>> Aug  3 08:56:06 cs-dbserv auth_pam_tool[76893]: pam_sss(mariadb:account):
>> Access denied for user adadmin: 6 (Permission denied)
>>
>> # tail -f /var/log/messages
>> Aug  3 08:58:42 mariadb sssd[76951]: Outgoing update query:
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; ->>HEADER<<- opcode: QUERY,
>> status: NOERROR, id:  23217
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; flags:; QUESTION: 1, ANSWER: 0,
>> AUTHORITY: 0, ADDITIONAL: 1
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; QUESTION SECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]: ;
>> 2530806950.server.domain.college.edu. ANY#011TKEY
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; ADDITIONAL SECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]: 2530806950.server.domain.college.edu.
>> 0 ANY TKEY#011gss-tsig. 1627999122 1627999122 3 NOERROR 1326
>> YIIFKg[shortened] 0
>> Aug  3 08:58:42 mariadb sssd[76951]: Outgoing update query:
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; ->>HEADER<<- opcode: UPDATE,
>> status: NOERROR, id:  35535
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; flags:; ZONE: 1, PREREQ: 0,
>> UPDATE: 2, ADDITIONAL: 1
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; UPDATE SECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]:
>> mariadb.domain.college.edu.#0110#011ANY#011A
>> Aug  3 08:58:42 mariadb sssd[76951]:
>> mariadb.domain.college.edu.#01160#011IN#011A#011131.230.133.11
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; TSIG PSEUDOSECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]: 2530806950.server.domain.college.edu.
>> 0 ANY TSIG#011gss-tsig. 1627999122 300 28 BAQE[shortened]== 35535 NOERROR 0
>> Aug  3 08:58:42 mariadb sssd[76951]: Outgoing update query:
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; ->>HEADER<<- opcode: QUERY,
>> status: NOERROR, id:  53259
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; flags:; QUESTION: 1, ANSWER: 0,
>> AUTHORITY: 0, ADDITIONAL: 1
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; QUESTION SECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]: ;417880633.server.domain.college.edu.
>> ANY#011TKEY
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; ADDITIONAL SECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]: 417880633.server.domain.college.edu.
>> 0 ANY#011TKEY#011gss-tsig. 1627999122 1627999122 3 NOERROR 1326
>> YIIFKg[shortened] 0
>> Aug  3 08:58:42 mariadb sssd[76951]: Outgoing update query:
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; ->>HEADER<<- opcode: UPDATE,
>> status: NOERROR, id:  49877
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; flags:; ZONE: 1, PREREQ: 0,
>> UPDATE: 1, ADDITIONAL: 1
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; UPDATE SECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]:
>> mariadb.domain.college.edu.#0110#011ANY#011AAAA
>> Aug  3 08:58:42 mariadb sssd[76951]: ;; TSIG PSEUDOSECTION:
>> Aug  3 08:58:42 mariadb sssd[76951]: 417880633.server.domain.college.edu.
>> 0 ANY#011TSIG#011gss-tsig. 1627999122 300 28 BAQE[shortened]== 49877
>> NOERROR 0
>>
>> Also, I noticed when doing the following command pam_acct_mgmt is showing
>> Permission denied:
>> # sssctl user-checks -s mariadb adadmin
>>
>> user: adadmin
>> action: acct
>> service: mariadb
>>
>> SSSD nss user lookup result:
>>  - user name: adadmin@xxxxxxxxxxxxxxxxxx
>>  - user id: 1767884463
>>  - group id: 1767800513
>>  - gecos: Admin CS - adadmin
>>  - home directory: /home/adadmin
>>  - shell: /bin/bash
>>
>> SSSD InfoPipe user lookup result:
>>  - name: adadmin
>>  - uidNumber: 17xxxxxxxxx
>>  - gidNumber: 17xxxxxxxxx
>>  - gecos: Admin CS - adadmin
>>  - homeDirectory: not set
>>  - loginShell: not set
>>
>> testing pam_acct_mgmt
>>
>> pam_acct_mgmt: Permission denied
>>
>> PAM Environment:
>>  - no env -
>>
>> This is also showing up in /var/log/secure:
>> Aug  3 09:03:05 mariadb sssctl[77040]: pam_sss(mariadb:account): Access
>> denied for user adadmin: 6 (Permission denied)
>>
>> Michael Barkdoll
>>
>>
>> On Tue, Aug 3, 2021 at 3:05 AM Michal Schorm <mschorm@xxxxxxxxxx> wrote:
>>
>>> Hello,
>>>
>>> (1)
>>> Since MariaDB 10.4, there is a new version 2 of the PAM plugin, which
>>> has been made default.
>>> Based on your message it looks like you are using the PAMv2 plugin,
>>> which is what I would recommend, though you can check again by:
>>> MariaDB [(none)]> show plugins soname like '%pam%';
>>> +------+---------------+----------------+----------------+---------+
>>> | Name | Status        | Type           | Library        | License |
>>> +------+---------------+----------------+----------------+---------+
>>> | pam  | ACTIVE        | AUTHENTICATION | auth_pam.so    | GPL     |
>>> | pam  | NOT INSTALLED | AUTHENTICATION | auth_pam_v1.so | GPL     |
>>> +------+---------------+----------------+----------------+---------+
>>>
>>>
>>> (2)
>>> > On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
>>> wrote:
>>> >> I see Redhat has issues with MariaDB 10.3 working with pam plugin but
>>> it sounded like 10.5 should work?
>>> >> https://bugzilla.redhat.com/show_bug.cgi?id=1942330
>>> We are not aware of any more issues with the MariaDB PAM plugin at this
>>> moment.
>>>
>>>
>>> (3)
>>> I tried to reproduce your issue on RHEL-8.4.0 with the RPMs from the
>>> mariadb-10.5 module provided by Red Hat.
>>>
>>> The authentication for the local users works out-of-the-box.
>>> I didn't need to use your workaround:
>>> > On Mon, Aug 2, 2021 at 10:07 PM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
>>> wrote:
>>> >> I was able to get local users working by renaming the
>>> /etc/pam.d/mariadb to /etc/pam/d/mysql contents:
>>>
>>> The "... USING 'mariadb';" clause worked as expected for me.
>>> When omitted, the authentication stopped working because I only
>>> specified PAM configuration for the PAM 'mariadb' service, not 'mysql'
>>> service which is the default one used by MariaDB server.
>>>
>>> I haven't tested Active Directory.
>>>
>>>
>>> (4)
>>> I also spotted you are using both:
>>>
>>> CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb';
>>> GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam;
>>>
>>> My understanding of the upstream documentation:
>>>   https://mariadb.com/kb/en/authentication-plugin-pam/#creating-users
>>> is that only one of those lines is needed.
>>>
>>> --
>>>
>>> Michal
>>>
>>> --
>>>
>>> Michal Schorm
>>> Software Engineer
>>> Core Services - Databases Team
>>> Red Hat
>>>
>>> --
>>>
>>> On Mon, Aug 2, 2021 at 11:18 PM Michael Barkdoll <mabarkdoll@xxxxxxxxx>
>>> wrote:
>>> >
>>> > Thanks, I used /etc/pam.d/mysql to add a pam_exec.so line as well to
>>> try to output the environment variables.
>>> >
>>> > # cat /etc/pam.d/mysql
>>> > auth optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh
>>> > auth required pam_sss.so
>>> > account optional pam_exec.so log=/t/pam_output.txt /t/pam_log_script.sh
>>> > account required pam_sss.so
>>> >
>>> > cat /t/pam_log_script.sh
>>> > #!/bin/bash
>>> > echo `env`
>>> >
>>> > # cat /t/pam_output.txt
>>> > *** Mon Aug  2 16:08:15 2021
>>> > PAM_TYPE=auth PAM_USER=adadmin PWD=/var/lib/mysql SHLVL=1
>>> PAM_SERVICE=mysql _=/usr/bin/env
>>> > *** Mon Aug  2 16:08:15 2021
>>> > PAM_TYPE=account PAM_USER=adadmin PWD=/var/lib/mysql
>>> KRB5CCNAME=FILE:/tmp/krb5cc_1767884463_WAaH4K SHLVL=1 PAM_SERVICE=mysql
>>> _=/usr/bin/env
>>> >
>>> > Also, I turned on rsyslogd and I see the following in /var/log/secure:
>>> > Aug  2 16:08:15 server auth_pam_tool[63628]: pam_sss(mysql:auth):
>>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
>>> user=adadmin
>>> > Aug  2 16:08:15 server auth_pam_tool[63628]: pam_sss(mysql:account):
>>> Access denied for user adadmin: 6 (Permission denied)
>>> >
>>> > On Mon, Aug 2, 2021 at 3:49 PM Honza Horak <hhorak@xxxxxxxxxx> wrote:
>>> >>
>>> >> Sharing with folks maintaining the RPMs on the RHEL side, Michal and
>>> Lukas, whether it looks familiar by any chance. You're right that the pam
>>> module should work fine with 10.5, the BZ you referenced was only related
>>> to 10.3. The theory that it might be something wrong with the sssd rather
>>> than mariadb-pam looks probable to me, but I'm not an expert on that front.
>>> >>
>>> >> Honza
>>> >>
>>> >> On Mon, Aug 2, 2021 at 10:07 PM Michael Barkdoll <
>>> mabarkdoll@xxxxxxxxx> wrote:
>>> >>>
>>> >>> Sorry, I wasn't replying to the listserv initially.  Complete list
>>> of packages available here:
>>> >>> https://pastebin.com/raw/Ux8sac73
>>> >>>
>>> >>> Operating System is Rocky linux 8.4 should be 100% binary compatible
>>> with Redhat 8.4.
>>> >>> I used mariadb AppStream 10.5 for the install with maria-pam 10.5.9
>>> as well.  I will confirm the same on Redhat 8.4.
>>> >>>
>>> >>> Update:
>>> >>> I was able to get local users working by renaming the
>>> /etc/pam.d/mariadb to /etc/pam/d/mysql contents:
>>> >>> auth required pam_unix.so audit
>>> >>> account required pam_unix.so audit
>>> >>>
>>> >>> However, I still can't get AD user accounts to work even with the
>>> pam_sss.so --  I was able to confirm pam is working changing
>>> /etc/pam.d/mysql to:
>>> >>> auth required pam_permit.so audit
>>> >>> account required pam_permit.so audit
>>> >>>
>>> >>> But, then no authentication is taking place.  I think the issue must
>>> be with sssd's pam_sss.so.
>>> >>>
>>> >>> I tried increasing the verbosity of the sssd logs.
>>> >>> https://pastebin.com/raw/FsJv4DYR
>>> >>> https://pastebin.com/raw/2TKhYygT
>>> >>>
>>> >>> Not sure if there is anything useful in there.
>>> >>>
>>> >>> On Mon, Aug 2, 2021 at 12:31 PM Honza Horak <hhorak@xxxxxxxxxx>
>>> wrote:
>>> >>>>
>>> >>>> Michael, can you share, please, which operating system and builds
>>> (upstream packages or those from the distribution) do you use?
>>> >>>>
>>> >>>> Thanks,
>>> >>>> Honza
>>> >>>>
>>> >>>> On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <
>>> mabarkdoll@xxxxxxxxx> wrote:
>>> >>>>>
>>> >>>>> Hi, I'm having issues getting the pam plugin to work with Rocky
>>> Linux 8 (RHEL 8) with AppStream MariaDB 10.5.  I've installed mariadb
>>> appstream for 10.5 and mariadb-pam packages.
>>> >>>>>
>>> >>>>> Added the following to /etc/my.cnf.d:
>>> >>>>> [mariadb]
>>> >>>>> plugin_load_add = auth_pam
>>> >>>>>
>>> >>>>> My sssd is joined to Active Directory.  I've created
>>> /etc/pam.d/mariadb trying both local pam_unix and pam_sss configurations:
>>> >>>>> # /etc/pam.d/mariadb for local accounts
>>> >>>>> auth required pam_unix.so audit
>>> >>>>> account required pam_unix.so audit
>>> >>>>>
>>> >>>>> # /etc/pam.d/mariadb for sssd active directory accounts
>>> >>>>> auth required pam_sss.so
>>> >>>>> account required pam_sss.so
>>> >>>>>
>>> >>>>> Tried creating local accounts with:
>>> >>>>> #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb';
>>> >>>>> #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam;
>>> >>>>> #CREATE USER 'user2'@'%' IDENTIFIED VIA pam;
>>> >>>>> #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam;
>>> >>>>>
>>> >>>>> I've also tried creating AD accounts:
>>> >>>>> #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb';
>>> >>>>> #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam;
>>> >>>>> #CREATE USER 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA pam USING
>>> 'mariadb';
>>> >>>>> #GRANT SELECT ON db.* TO 'aduser@xxxxxxxxxxx'@'%' IDENTIFIED VIA
>>> pam;
>>> >>>>>
>>> >>>>> I see Redhat has issues with MariaDB 10.3 working with pam plugin
>>> but it sounded like 10.5 should work?
>>> >>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1942330
>>> >>>>>
>>> >>>>> I feel like I'm missing something in my /etc/sssd/sssd.conf file
>>> or some pam configuration steps.
>>> >>>>>
>>> >>>>> I'm using authselect with sssd:
>>> >>>>> authselect select custom/user-profile with-mkhomedir with-sudo
>>> with-pamaccess
>>> >>>>>
>>> >>>>> All attempts to `mysql -u user -p` fail.
>>> >>>>>
>>> >>>>> MariaDB [(none)]> show plugins;
>>> >>>>> | pam                           | ACTIVE   | AUTHENTICATION     |
>>> auth_pam.so | GPL     |
>>> >>>>>
>>> >>>>> I tried adding a [pam] section to sssd.
>>> >>>>>
>>> >>>>> [pam]
>>> >>>>> pam_public_domains = all
>>> >>>>> pam_verbosity = 3
>>> >>>>>
>>> >>>>> Didn't seem to help.  I used realmd to join AD.  Any help is much
>>> appreciated.
>>> >>>>>
>>> >>>>> mysql -u user -p
>>> >>>>> Enter password:
>>> >>>>> ERROR 1045 (28000): Access denied for user 'user'@'localhost'
>>> (using password: NO)
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> Mailing list: https://launchpad.net/~maria-discuss
>>> >>>>> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
>>> >>>>> Unsubscribe : https://launchpad.net/~maria-discuss
>>> >>>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
Follow ups

Re: sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-03
References

sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-02
Re: sssd with authentication plugin pam
From: Honza Horak, 2021-08-02
Re: sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-02
Re: sssd with authentication plugin pam
From: Honza Horak, 2021-08-02
Re: sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-02
Re: sssd with authentication plugin pam
From: Michal Schorm, 2021-08-03
Re: sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-03
Re: sssd with authentication plugin pam
From: Michael Barkdoll, 2021-08-03