Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Not a Bug
-
10.3.11
-
None
-
CentOS 7
Description
In a Microsoft Active Directory (AD) environment user IDs are case-sensitive.
For example, we have a user that resolves as 'JohnD' and other DBs and the Linux OS recognize it as such. However, when that user attempts to authenticate to MariaDB as 'JohnD' via PAM, the authentication fails, even though I've created the user as 'JohnD' IDENTIFIED VIA pam.
If I create the user in MariaDB as 'johnd' (all lower case) and have the user specify it that way, it does properly authenticate via PAM, so MariaDB is casting the PAM account to lowercase and failing to recognize the username with correct capitalization.
Attachments
Issue Links
- relates to
-
MDEV-18686 Add option to PAM authentication plugin to allow case insensitive username matching
-
- Closed
-
Activity
Forgot to mention how the users were created:
CREATE USER 'JohnD' IDENTIFIED VIA pam USING 'password-auth';
CREATE USER 'johnd' IDENTIFIED VIA pam USING 'password-auth';
Did MariaDB allow you to log in when you provided the lower case user name? For the lower case user name, /var/log/secure does not show the user name change and mariadb-error.log does not show any authentication failures, so it looks like it succeeded.
To try to get the mixed-case version working, you could try testing out the PROXY privilege:
GRANT PROXY ON 'johnd'@'[host-redacted]' TO 'JohnD'@'[host-redacted]';
|
Logging in with the all-lower ID requires also creating the ID all-lower in MariaDB and granting access to that., and also requires them to override the ID that AD returns to them. But if we do all of those steps, then it works.
I'll try the PROXY thing to see if that works
/var/log/secure on MariaDB rejection (using JohnD):
Feb 21 19:02:20 mariadev1 mysqld: pam_unix(password-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost= user=JohnD
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Verify user 'JohnD'
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): user 'JohnD' granted access
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:auth): Returned user was 'johnd'
Feb 21 19:02:20 mariadev1 mysqld: pam_winbind(password-auth:account): user 'johnd' granted access
mariadb-error.log on rejection:
2019-02-21 19:02:20 7320 [Warning] Access denied for user 'JohnD'@'[host-redacted]' (using password: NO)
/var/log/secure on MariaDB acceptance (using johnd):
Feb 22 17:38:25 mariadev1 mysqld: pam_unix(password-auth:auth): authentication failure; logname= uid=502 euid=502 tty= ruser= rhost= user=johnd
Feb 22 17:38:25 mariadev1 mysqld: pam_winbind(password-auth:auth): user 'johnd' granted access
Feb 22 17:38:25 mariadev1 mysqld: pam_winbind(password-auth:account): user 'johnd' granted access
(nothing in the mariadb-error.log file on success.)
So it looks to me like MariaDB is rejecting the login attempt specifically because the ID returned by winbind – johnd – is not an exact case match for the ID that was provided (JohnD), even though PAM accepts and authorizes the connection.
IOW, PAM and winbind say "yes," but MariaDB says "no."