Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17095

pam_user_map module throws syntax error if group name contains backslash

    XMLWordPrintable

    Details

      Description

      When using active directory, group names can have backslashes when specified in the "domain account format". See here for more information:

      https://docs.microsoft.com/en-us/windows/desktop/ad/getting-the-domain-account-style-name-of-a-group

      "getent group" on Linux is capable of interpreting backslashes in group names when AD is configured. For example, the following command properly gets the information about the AD group:

      getent group mydomain\\my-dba-group
      

      However, the pam_user_map module does not seem to support this format at the moment. If /etc/security/user_map.conf contains a line like the following:

      @mydomain\\my-dba-group: mysqldba 
      

      Then the module would throw an error like the following:

      Aug 28 17:22:02 ip-10-156-191-170 mysqld: pam_user_map(mysql:auth): Syntax error at /etc/security/user_map.conf:5
      

      The same error is seen if only a single backslash is used in the group name. e.g.:

      @mydomain\my-dba-group: mysqldba 
      

      The workaround is to set a default domain in the system's AD configuration.

        Attachments

          Activity

            People

            Assignee:
            holyfoot Alexey Botchkov
            Reporter:
            GeoffMontee Geoff Montee
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: