Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26876

auth_pam does not work when config file is not named mysql

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 10.5.12
    • Fix Version/s: None
    • Component/s: Plugin - pam
    • Labels:
    • Environment:
      SLES15 SP3

      Description

      After updating from 10.2.15 which came with an earlier version of SLES to 10.5.12, our PAM authentication stopped working without any error messages or warnings.

      Our setup was using a config file called 'mariadb' in /etc/map.d/ and our users were created with "USING 'mariabd'"

      After a lot of debugging and investigations, it appeared we had to rename the config file to 'mysql' and re-create our users without the "USING 'mariadb'" option.

      After doing that, it started working again.

      To further test this, we duplicated the config file, so we had two identical files: mariadb and mysql

      /etc/pam.d/mariadb & /etc/pam.d/mysql:

      auth required pam_ldap.so
      auth required pam_warn.so
      account required pam_ldap.so
      account required pam_warn.so
      

      (pam_warn.so can be removed, and does not affect the testing at all, it just logs to syslog)

      We than re-created the user with the USING option, and tried to login.

      > CREATE USER 'test'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
      > FLUSH PRIVILEGES;
      

      No password is asked, and no errors logged:

      # mysql -utest
      ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: NO)
      

      Re-creating the user with mysql as the 'service' name:

      > DROP USER 'test'@'localhost';
      > CREATE USER 'test'@'localhost' IDENTIFIED VIA pam USING 'mysql';
      > FLUSH PRIVILEGES;
      

      Results in a password request and a successful login:

      # mysql -utest
      [mariadb] Password:
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      

      more info:

      > SELECT * FROM information_schema.PLUGINS where PLUGIN_NAME = 'pam'\G
      *************************** 1. row ***************************
                 PLUGIN_NAME: pam
              PLUGIN_VERSION: 2.0
               PLUGIN_STATUS: ACTIVE
                 PLUGIN_TYPE: AUTHENTICATION
         PLUGIN_TYPE_VERSION: 2.2
              PLUGIN_LIBRARY: auth_pam.so
      PLUGIN_LIBRARY_VERSION: 1.14
               PLUGIN_AUTHOR: MariaDB Corp
          PLUGIN_DESCRIPTION: PAM based authentication
              PLUGIN_LICENSE: GPL
                 LOAD_OPTION: ON
             PLUGIN_MATURITY: Stable
         PLUGIN_AUTH_VERSION: 2.0
       
       
       
      > SHOW PLUGINS SONAME LIKE '%pam%'\G
      *************************** 1. row ***************************
         Name: pam
       Status: ACTIVE
         Type: AUTHENTICATION
      Library: auth_pam.so
      License: GPL
      *************************** 2. row ***************************
         Name: pam
       Status: NOT INSTALLED
         Type: AUTHENTICATION
      Library: auth_pam_v1.so
      License: GPL
       
      > SHOW GLOBAL VARIABLES LIKE 'pam%'\G
      *************************** 1. row ***************************
      Variable_name: pam_use_cleartext_plugin
              Value: OFF
      *************************** 2. row ***************************
      Variable_name: pam_winbind_workaround
              Value: OFF
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            pluk77 Marcel
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.