Hi all, I'd like to ask an additional question re the subjectline. I have setup pam auth with pam_winbind.so on a debian 9 stretch samba domain member server, with mariadb 10.1 from the debian repo in "pam_use_cleartext_plugin" mode. I can logon (both ssh and mysql) with domain usernames fine, and the system knows group memberships too. (confirmed with "id ADusername") so basic functions all seem to work. Next is using groups for access control. So I tried following this: https://mariadb.com/resources/blog/configuring-pam-group-mapping-mariadb In short what I did: - download the 10.1 plugin - compile - copy to /lib/x86_64-linux-gnu/security/ (debian path, different from the howto) - made /etc/pam.d/mysql look like:
#%PAM-1.0 auth required pam_winbind.so account required pam_winbind.so auth required pam_user_map.so
- skipping the shadow stuff, as I guess it's not needed for winbind/ldap I have a user1 in AD, member of user1_grp, so for quick test I created: /etc/security/user_map.conf with:
@user1_grp: root
However, as soon as I add pam_user_map.so to mysql pam file, we're getting:
root@mariadb:~# mysql -uuser1 -p Enter password: Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): getting password (0x00000000) Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:auth): user 'user1' granted access Sep 24 12:37:47 mariadb mysqld: pam_winbind(mysql:account): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: NO) root@mariadb:~#
When I remove pam_user_map.so from pam, logging in works again. Have been at at for a while now, and could really use some fresh input. Anyone done this..? On debian stretch? What am I missing..? Thanks!