Our MariaDB-server RPM creates auth_pam_tool_dir with owner root, and only later in the post install hook script change the ownership to the mysql system user.
rpm --setguids MariaDB-server
the directory owner is reset from "mysql" to "root", and with that and the "owner only" permissions of that directory, the auth_pam_tool utility contained by it can no longer be executed by the server, so breaking PAM authentication completely.
Looking at the plugin/auth_pam/CMakeLists.txt file I can see:
So the directory permissions are set there, but not the owner. By changing this to
the explicit chmod in the post install hook script should no longer be needed, and "rpm -setugids" should keep the correct ownership intact.