Hi, mj! On Sep 25, mj wrote:
Hi,
So, much progression, by using the pam debug flags:
auth required pam_winbind.so debug account required pam_winbind.so debug auth required pam_user_map.so debug
reveiling this in /var/log/debug:
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'. Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 groups [group1,group2,group3]. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root' Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN)
Thanks, that was very helpful!
So the problem is: I am mapping the login to user "root", which doesn't exist in AD.
When mapping to an existing AD user, things started to work.
Now the remaining 1.000.000$ question, if I may:
The aim is to map AD users 'into' a local mariadb user. This does not work, as pam tries to find both the loginuser and the target mapped user. (see logs above)
What (probably pam?) config is required to handle the case where we logon to mysql using AD usernames/passwords, and map/proxy those into a local mysql username..? Anyone?
pam_user_map renames the user in the pam module chain, that is, all following pam modules will see the new name. And because 'account' modules are invoked after 'auth', pam_winbind will see the new name. Do you really have to use account required pam_winbind.so line? I didn't try it myself, but I'd think that using account required pam_permit.so would help. That's what we're using to test MariaDB pam plugin in mysql-test framework. Regards, Sergei Chief Architect MariaDB and security@mariadb.org