Hi, So, much progression, by using the pam debug flags:
auth required pam_winbind.so debug account required pam_winbind.so debug auth required pam_user_map.so debug
reveiling this in /var/log/debug:
Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] ENTER: pam_sm_authenticate (flags: 0x0000) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'. Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 38 groups [group1Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] ENTER: pam_sm_authenticate (flags: 0x0000) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000001) Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Verify user 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): request wbcLogonUser succeeded Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): user 'ADuser1' granted access Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): Returned user was 'ADuser1' Sep 25 11:02:55 mariadb mysqld: pam_winbind(mysql:auth): [pamh: 0x7ff70141f480] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'. Sep 25 11:02:55 mariadb mysqld: pam_user_map(mysql:auth): Incoming username 'ADuser1'. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User belongs to 3 groups [group1,group2,group3]. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root' Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN) ERROR 1045 (28000): Access denied for user 'ADuser1'@'localhost' (using password: NO)]. Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): Check if user is in group 'group1': YES Sep 25 11:02:56 mariadb mysqld: pam_user_map(mysql:auth): User mapped as 'root' Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] ENTER: pam_sm_acct_mgmt (flags: 0x0000) Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): user 'root' not found Sep 25 11:02:56 mariadb mysqld: pam_winbind(mysql:account): [pamh: 0x7ff70141f480] LEAVE: pam_sm_acct_mgmt returning 10 (PAM_USER_UNKNOWN) ERROR 1045 (28000): Access denied for user 'ADuser1'@'localhost' (using password: NO)
So the problem is: I am mapping the login to user "root", which doesn't exist in AD. When mapping to an existing AD user, things started to work. Now the remaining 1.000.000$ question, if I may: The aim is to map AD users 'into' a local mariadb user. This does not work, as pam tries to find both the loginuser and the target mapped user. (see logs above) What (probably pam?) config is required to handle the case where we logon to mysql using AD usernames/passwords, and map/proxy those into a local mysql username..? Anyone? MJ