Sorry, I wasn't replying to the listserv initially. Complete list of packages available here: https://pastebin.com/raw/Ux8sac73 Operating System is Rocky linux 8.4 should be 100% binary compatible with Redhat 8.4. I used mariadb AppStream 10.5 for the install with maria-pam 10.5.9 as well. I will confirm the same on Redhat 8.4. Update: I was able to get local users working by renaming the /etc/pam.d/mariadb to /etc/pam/d/mysql contents: auth required pam_unix.so audit account required pam_unix.so audit However, I still can't get AD user accounts to work even with the pam_sss.so -- I was able to confirm pam is working changing /etc/pam.d/mysql to: auth required pam_permit.so audit account required pam_permit.so audit But, then no authentication is taking place. I think the issue must be with sssd's pam_sss.so. I tried increasing the verbosity of the sssd logs. https://pastebin.com/raw/FsJv4DYR https://pastebin.com/raw/2TKhYygT Not sure if there is anything useful in there. On Mon, Aug 2, 2021 at 12:31 PM Honza Horak <hhorak@redhat.com> wrote:
Michael, can you share, please, which operating system and builds (upstream packages or those from the distribution) do you use?
Thanks, Honza
On Mon, Aug 2, 2021 at 5:35 PM Michael Barkdoll <mabarkdoll@gmail.com> wrote:
Hi, I'm having issues getting the pam plugin to work with Rocky Linux 8 (RHEL 8) with AppStream MariaDB 10.5. I've installed mariadb appstream for 10.5 and mariadb-pam packages.
Added the following to /etc/my.cnf.d: [mariadb] plugin_load_add = auth_pam
My sssd is joined to Active Directory. I've created /etc/pam.d/mariadb trying both local pam_unix and pam_sss configurations: # /etc/pam.d/mariadb for local accounts auth required pam_unix.so audit account required pam_unix.so audit
# /etc/pam.d/mariadb for sssd active directory accounts auth required pam_sss.so account required pam_sss.so
Tried creating local accounts with: #CREATE USER 'user'@'%' IDENTIFIED VIA pam USING 'mariadb'; #GRANT SELECT ON db.* TO 'user'@'%' IDENTIFIED VIA pam; #CREATE USER 'user2'@'%' IDENTIFIED VIA pam; #GRANT SELECT ON db.* TO 'user2'@'%' IDENTIFIED VIA pam;
I've also tried creating AD accounts: #CREATE USER 'aduser'@'%' IDENTIFIED VIA pam USING 'mariadb'; #GRANT SELECT ON db.* TO 'aduser'@'%' IDENTIFIED VIA pam; #CREATE USER 'aduser@college.edu'@'%' IDENTIFIED VIA pam USING 'mariadb'; #GRANT SELECT ON db.* TO 'aduser@college.edu'@'%' IDENTIFIED VIA pam;
I see Redhat has issues with MariaDB 10.3 working with pam plugin but it sounded like 10.5 should work? https://bugzilla.redhat.com/show_bug.cgi?id=1942330
I feel like I'm missing something in my /etc/sssd/sssd.conf file or some pam configuration steps.
I'm using authselect with sssd: authselect select custom/user-profile with-mkhomedir with-sudo with-pamaccess
All attempts to `mysql -u user -p` fail.
MariaDB [(none)]> show plugins; | pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
I tried adding a [pam] section to sssd.
[pam] pam_public_domains = all pam_verbosity = 3
Didn't seem to help. I used realmd to join AD. Any help is much appreciated.
mysql -u user -p Enter password: ERROR 1045 (28000): Access denied for user 'user'@'localhost' (using password: NO)
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp