Details
-
Bug
-
Status: Open (View Workflow)
-
Critical
-
Resolution: Unresolved
-
10.5.12
-
None
-
SLES15 SP3
Description
After updating from 10.2.15 which came with an earlier version of SLES to 10.5.12, our PAM authentication stopped working without any error messages or warnings.
Our setup was using a config file called 'mariadb' in /etc/map.d/ and our users were created with "USING 'mariabd'"
After a lot of debugging and investigations, it appeared we had to rename the config file to 'mysql' and re-create our users without the "USING 'mariadb'" option.
After doing that, it started working again.
To further test this, we duplicated the config file, so we had two identical files: mariadb and mysql
/etc/pam.d/mariadb & /etc/pam.d/mysql:
auth required pam_ldap.so
|
auth required pam_warn.so
|
account required pam_ldap.so
|
account required pam_warn.so
|
(pam_warn.so can be removed, and does not affect the testing at all, it just logs to syslog)
We than re-created the user with the USING option, and tried to login.
> CREATE USER 'test'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
|
> FLUSH PRIVILEGES;
|
No password is asked, and no errors logged:
# mysql -utest
|
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: NO)
|
Re-creating the user with mysql as the 'service' name:
> DROP USER 'test'@'localhost';
|
> CREATE USER 'test'@'localhost' IDENTIFIED VIA pam USING 'mysql';
|
> FLUSH PRIVILEGES;
|
Results in a password request and a successful login:
# mysql -utest
|
[mariadb] Password:
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
more info:
> SELECT * FROM information_schema.PLUGINS where PLUGIN_NAME = 'pam'\G
|
*************************** 1. row ***************************
|
PLUGIN_NAME: pam
|
PLUGIN_VERSION: 2.0
|
PLUGIN_STATUS: ACTIVE
|
PLUGIN_TYPE: AUTHENTICATION
|
PLUGIN_TYPE_VERSION: 2.2
|
PLUGIN_LIBRARY: auth_pam.so
|
PLUGIN_LIBRARY_VERSION: 1.14
|
PLUGIN_AUTHOR: MariaDB Corp
|
PLUGIN_DESCRIPTION: PAM based authentication
|
PLUGIN_LICENSE: GPL
|
LOAD_OPTION: ON
|
PLUGIN_MATURITY: Stable
|
PLUGIN_AUTH_VERSION: 2.0
|
|
|
|
|
|
|
> SHOW PLUGINS SONAME LIKE '%pam%'\G
|
*************************** 1. row ***************************
|
Name: pam
|
Status: ACTIVE
|
Type: AUTHENTICATION
|
Library: auth_pam.so
|
License: GPL
|
*************************** 2. row ***************************
|
Name: pam
|
Status: NOT INSTALLED
|
Type: AUTHENTICATION
|
Library: auth_pam_v1.so
|
License: GPL
|
|
|
> SHOW GLOBAL VARIABLES LIKE 'pam%'\G
|
*************************** 1. row ***************************
|
Variable_name: pam_use_cleartext_plugin
|
Value: OFF
|
*************************** 2. row ***************************
|
Variable_name: pam_winbind_workaround
|
Value: OFF
|