The authentication process used by MariaDB's PAM authentication plugin goes like this:
- First, it calls pam_authenticate. This step causes the server to authenticate the user account by evaluating all auth module types in the provided PAM service configuration.
https://github.com/MariaDB/server/blob/54caaf684801c332a7130d478023aa7706a69aa1/plugin/auth_pam/auth_pam.c#L154
https://linux.die.net/man/3/pam_authenticate
- Second, it calls pam_acct_mgmt. This step causes the server to verify the user account by evaluating all *account* module types in the provided PAM service configuration.
https://github.com/MariaDB/server/blob/54caaf684801c332a7130d478023aa7706a69aa1/plugin/auth_pam/auth_pam.c#L157
https://linux.die.net/man/3/pam_acct_mgmt
This process is complicated somewhat when the pam_user_map module is included in the PAM service configuration. The pam_user_map module calls pam_sm_authenticate, which means that it is a auth module type, and it is evaluated when the plugin calls pam_authenticate.
https://github.com/MariaDB/server/blob/2ad51a0bd8380fba3d03a4cebd43860329b7fbaa/plugin/auth_pam/mapper/pam_user_map.c#L135
https://linux.die.net/man/3/pam_sm_authenticate
When group mapping is used along with pam_user_map, this means that the user being verified during the pam_acct_mgmt step is not the original user. If a user account with the same name does not exist, this can cause problems.
To give a concrete example, let's say that you have the following PAM service configuration:
#%PAM-1.0
|
auth required pam_sss.so
|
account sufficient pam_unix.so
|
account sufficient pam_sss.so
|
auth required pam_user_map.so debug
|
And /etc/security/user_map.conf looks like this:
If no system user called "dba" exists, then authentication will fail during the pam_acct_mgmt step, and the syslog will have messages like this:
Sep 27 17:17:05 dbserver1 mysqld: pam_user_map(mysql:auth): Opening file '/etc/security/user_map.conf'.
|
Sep 27 17:17:05 dbserver1 mysqld: pam_user_map(mysql:auth): Incoming username 'alice'.
|
Sep 27 17:17:05 dbserver1 mysqld: pam_user_map(mysql:auth): User belongs to 4 groups [dba,mongod,mongodba,mysql].
|
Sep 27 17:17:05 dbserver1 mysqld: pam_user_map(mysql:auth): Check if user is in group 'mysql': YES
|
Sep 27 17:17:05 dbserver1 mysqld: pam_user_map(mysql:auth): User mapped as 'dba'
|
Sep 27 17:17:05 dbserver1 mysqld: pam_unix(mysql:account): could not identify user (from getpwnam(dba))
|
Sep 27 17:17:05 dbserver1 mysqld: pam_sss(mysql:account): Access denied for user dba: 10 (User not known to the underlying authentication module)
|
Sep 27 17:17:05 dbserver1 mysqld: 2018-09-27 17:17:05 72 [Warning] Access denied for user 'alice'@'localhost' (using password: NO)
|
This can be solved by simply adding a system user with the same name as the group being mapped:
But I wonder whether this limitation can be lifted, and if so, whether we would want to lift it. One possible solution would be to implement pam_sm_acct_mgmt for pam_user_map, so that group mapping could optionally happen as a account module type, rather than an auth module type, and it would be evaluated when the plugin called pam_acct_mgmt.
https://linux.die.net/man/3/pam_sm_acct_mgmt
I see that the user is actually changed with pam_set_item, and it looks like that can be called from any module type.
https://github.com/MariaDB/server/blob/2ad51a0bd8380fba3d03a4cebd43860329b7fbaa/plugin/auth_pam/mapper/pam_user_map.c#L220
https://linux.die.net/man/3/pam_set_item
However, I don't know enough about PAM to know for sure that this would make the problem go away.
- is duplicated by
-
MDEV-14124
pam_user_map plugin doesn't work on RH7
-
-
Closed
{"report":{"fcp":855.0999999046326,"ttfb":182.40000009536743,"pageVisibility":"visible","entityId":69997,"key":"jira.project.issue.view-issue","isInitial":true,"threshold":1000,"elementTimings":{},"userDeviceMemory":8,"userDeviceProcessors":64,"apdex":1,"journeyId":"ba1c7755-0d69-4c93-875f-554e8c9711e5","navigationType":0,"readyForUser":929.2999999523163,"redirectCount":0,"resourceLoadedEnd":567.7999999523163,"resourceLoadedStart":191.5,"resourceTiming":[{"duration":123,"initiatorType":"link","name":"https://jira.mariadb.org/s/2c21342762a6a02add1c328bed317ffd-CDN/lu2bu7/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/css/_super/batch.css","startTime":191.5,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":191.5,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":314.5,"responseStart":0,"secureConnectionStart":0},{"duration":123,"initiatorType":"link","name":"https://jira.mariadb.org/s/7ebd35e77e471bc30ff0eba799ebc151-CDN/lu2bu7/820016/12ta74/8679b4946efa1a0bb029a3a22206fb5d/_/download/contextbatch/css/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.css?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&slack-enabled=true","startTime":191.79999995231628,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":191.79999995231628,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":314.7999999523163,"responseStart":0,"secureConnectionStart":0},{"duration":221,"initiatorType":"script","name":"https://jira.mariadb.org/s/fbf975c0cce4b1abf04784eeae9ba1f4-CDN/lu2bu7/820016/12ta74/0a8bac35585be7fc6c9cc5a0464cd4cf/_/download/contextbatch/js/_super/batch.js?locale=en","startTime":192,"connectEnd":192,"connectStart":192,"domainLookupEnd":192,"domainLookupStart":192,"fetchStart":192,"redirectEnd":0,"redirectStart":0,"requestStart":317.09999990463257,"responseEnd":413,"responseStart":359.09999990463257,"secureConnectionStart":192},{"duration":375.2999999523163,"initiatorType":"script","name":"https://jira.mariadb.org/s/099b33461394b8015fc36c0a4b96e19f-CDN/lu2bu7/820016/12ta74/8679b4946efa1a0bb029a3a22206fb5d/_/download/contextbatch/js/jira.browse.project,project.issue.navigator,jira.view.issue,jira.general,jira.global,atl.general,-_super/batch.js?agile_global_admin_condition=true&jag=true&jira.create.linked.issue=true&locale=en&slack-enabled=true","startTime":192.5,"connectEnd":318.09999990463257,"connectStart":318.09999990463257,"domainLookupEnd":318.09999990463257,"domainLookupStart":318.09999990463257,"fetchStart":192.5,"redirectEnd":0,"redirectStart":0,"requestStart":318.59999990463257,"responseEnd":567.7999999523163,"responseStart":332.7000000476837,"secureConnectionStart":318.09999990463257},{"duration":139.20000004768372,"initiatorType":"script","name":"https://jira.mariadb.org/s/94c15bff32baef80f4096a08aceae8bc-CDN/lu2bu7/820016/12ta74/c92c0caa9a024ae85b0ebdbed7fb4bd7/_/download/contextbatch/js/atl.global,-_super/batch.js?locale=en","startTime":192.59999990463257,"connectEnd":192.59999990463257,"connectStart":192.59999990463257,"domainLookupEnd":192.59999990463257,"domainLookupStart":192.59999990463257,"fetchStart":192.59999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":318.7000000476837,"responseEnd":331.7999999523163,"responseStart":329.2000000476837,"secureConnectionStart":192.59999990463257},{"duration":143.60000014305115,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-en/jira.webresources:calendar-en.js","startTime":192.59999990463257,"connectEnd":192.59999990463257,"connectStart":192.59999990463257,"domainLookupEnd":192.59999990463257,"domainLookupStart":192.59999990463257,"fetchStart":192.59999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":320.59999990463257,"responseEnd":336.2000000476837,"responseStart":333.7999999523163,"secureConnectionStart":192.59999990463257},{"duration":143.70000004768372,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:calendar-localisation-moment/jira.webresources:calendar-localisation-moment.js","startTime":192.70000004768372,"connectEnd":192.70000004768372,"connectStart":192.70000004768372,"domainLookupEnd":192.70000004768372,"domainLookupStart":192.70000004768372,"fetchStart":192.70000004768372,"redirectEnd":0,"redirectStart":0,"requestStart":321.2000000476837,"responseEnd":336.40000009536743,"responseStart":334.2999999523163,"secureConnectionStart":192.70000004768372},{"duration":127.40000009536743,"initiatorType":"link","name":"https://jira.mariadb.org/s/b04b06a02d1959df322d9cded3aeecc1-CDN/lu2bu7/820016/12ta74/a2ff6aa845ffc9a1d22fe23d9ee791fc/_/download/contextbatch/css/jira.global.look-and-feel,-_super/batch.css","startTime":192.79999995231628,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":192.79999995231628,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":320.2000000476837,"responseStart":0,"secureConnectionStart":0},{"duration":192.09999990463257,"initiatorType":"script","name":"https://jira.mariadb.org/rest/api/1.0/shortcuts/820016/47140b6e0a9bc2e4913da06536125810/shortcuts.js?context=issuenavigation&context=issueaction","startTime":192.90000009536743,"connectEnd":192.90000009536743,"connectStart":192.90000009536743,"domainLookupEnd":192.90000009536743,"domainLookupStart":192.90000009536743,"fetchStart":192.90000009536743,"redirectEnd":0,"redirectStart":0,"requestStart":322,"responseEnd":385,"responseStart":382.2999999523163,"secureConnectionStart":192.90000009536743},{"duration":127.70000004768372,"initiatorType":"link","name":"https://jira.mariadb.org/s/3ac36323ba5e4eb0af2aa7ac7211b4bb-CDN/lu2bu7/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/css/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.css?jira.create.linked.issue=true","startTime":193.09999990463257,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":193.09999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":320.7999999523163,"responseStart":0,"secureConnectionStart":0},{"duration":148.90000009536743,"initiatorType":"script","name":"https://jira.mariadb.org/s/3339d87fa2538a859872f2df449bf8d0-CDN/lu2bu7/820016/12ta74/d176f0986478cc64f24226b3d20c140d/_/download/contextbatch/js/com.atlassian.jira.projects.sidebar.init,-_super,-project.issue.navigator,-jira.view.issue/batch.js?jira.create.linked.issue=true&locale=en","startTime":193.09999990463257,"connectEnd":193.09999990463257,"connectStart":193.09999990463257,"domainLookupEnd":193.09999990463257,"domainLookupStart":193.09999990463257,"fetchStart":193.09999990463257,"redirectEnd":0,"redirectStart":0,"requestStart":323.40000009536743,"responseEnd":342,"responseStart":337.90000009536743,"secureConnectionStart":193.09999990463257},{"duration":355.59999990463257,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-js/jira.webresources:bigpipe-js.js","startTime":194.90000009536743,"connectEnd":194.90000009536743,"connectStart":194.90000009536743,"domainLookupEnd":194.90000009536743,"domainLookupStart":194.90000009536743,"fetchStart":194.90000009536743,"redirectEnd":0,"redirectStart":0,"requestStart":378.7999999523163,"responseEnd":550.5,"responseStart":544.4000000953674,"secureConnectionStart":194.90000009536743},{"duration":355.7000000476837,"initiatorType":"script","name":"https://jira.mariadb.org/s/d41d8cd98f00b204e9800998ecf8427e-CDN/lu2bu7/820016/12ta74/1.0/_/download/batch/jira.webresources:bigpipe-init/jira.webresources:bigpipe-init.js","startTime":195,"connectEnd":195,"connectStart":195,"domainLookupEnd":195,"domainLookupStart":195,"fetchStart":195,"redirectEnd":0,"redirectStart":0,"requestStart":379.7000000476837,"responseEnd":550.7000000476837,"responseStart":545.2999999523163,"secureConnectionStart":195},{"duration":89.79999995231628,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":550.7000000476837,"connectEnd":550.7000000476837,"connectStart":550.7000000476837,"domainLookupEnd":550.7000000476837,"domainLookupStart":550.7000000476837,"fetchStart":550.7000000476837,"redirectEnd":0,"redirectStart":0,"requestStart":611.4000000953674,"responseEnd":640.5,"responseStart":639.2999999523163,"secureConnectionStart":550.7000000476837},{"duration":130.20000004768372,"initiatorType":"xmlhttprequest","name":"https://jira.mariadb.org/rest/webResources/1.0/resources","startTime":778.7000000476837,"connectEnd":778.7000000476837,"connectStart":778.7000000476837,"domainLookupEnd":778.7000000476837,"domainLookupStart":778.7000000476837,"fetchStart":778.7000000476837,"redirectEnd":0,"redirectStart":0,"requestStart":875.7999999523163,"responseEnd":908.9000000953674,"responseStart":907.9000000953674,"secureConnectionStart":778.7000000476837},{"duration":80.79999995231628,"initiatorType":"script","name":"https://www.google-analytics.com/analytics.js","startTime":848,"connectEnd":0,"connectStart":0,"domainLookupEnd":0,"domainLookupStart":0,"fetchStart":848,"redirectEnd":0,"redirectStart":0,"requestStart":0,"responseEnd":928.7999999523163,"responseStart":0,"secureConnectionStart":0}],"fetchStart":0,"domainLookupStart":0,"domainLookupEnd":0,"connectStart":0,"connectEnd":0,"requestStart":37,"responseStart":183,"responseEnd":194,"domLoading":186,"domInteractive":985,"domContentLoadedEventStart":985,"domContentLoadedEventEnd":1026,"domComplete":1382,"loadEventStart":1382,"loadEventEnd":1382,"userAgent":"Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; ClaudeBot/1.0; +claudebot@anthropic.com)","marks":[{"name":"bigPipe.sidebar-id.start","time":966.5},{"name":"bigPipe.sidebar-id.end","time":967.2000000476837},{"name":"bigPipe.activity-panel-pipe-id.start","time":967.4000000953674},{"name":"bigPipe.activity-panel-pipe-id.end","time":968.7000000476837},{"name":"activityTabFullyLoaded","time":1042.5}],"measures":[],"correlationId":"50422a8fa5321a","effectiveType":"4g","downlink":10,"rtt":0,"serverDuration":73,"dbReadsTimeInMs":11,"dbConnsTimeInMs":18,"applicationHash":"9d11dbea5f4be3d4cc21f03a88dd11d8c8687422","experiments":[]}}
Authenticating for MariaDB isn't really a "logging into account" so, unlike login or ssh pam policies, mariadb pam file doesn't need these account lines. Using just
account required pam_permit.so
should be enough