[MDEV-14124] pam_user_map plugin doesn't work on RH7 Created: 2017-10-25  Updated: 2020-03-27  Resolved: 2020-03-27

Status: Closed
Project: MariaDB Server
Component/s: Plugin - pam
Affects Version/s: 10.1.28
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Iliya Taushanov Assignee: Unassigned
Resolution: Not a Bug Votes: 0
Labels: pam_user_map
Environment:

RedHat 7

Issue Links:
Duplicate
duplicates MDEV-17315 When using group mapping from pam_use... Closed

 Description   

We have working MariaDB AD authentication on RH 6 using pam_ldap, where AD accounts are mapped to MariaDB proxy users as per /etc/security/user_map.conf.

Since we are now migrating to RH 7, pam_ldap seems to be no longer supported and is replaced by nss-pam-ldapd, so we tried to use pam_sssd and nlscd for the purpose with RedHat support assistance without luck.

The issue seems that pam_sssd tries to authenticate the proxied user to AD which apparently fails. Same happens when using nslcd.

Does pam_user_map module work with RedHat 7, or does the module need to be updated?

RH7, not working config:

/etc/sssd/sssd.conf

[sssd]
 
config_file_version = 2
 
domains = default
 
services = nss, pam, autofs
 
 
 
[domain/default]
 
id_provider = ldap
 
auth_provider = ldap
 
chpass_provider = ldap
 
ldap_uri = ldap://aluww01.emea.convergys.com/
 
ldap_id_use_start_tls = False
 
ldap_tls_cacert = /etc/ssl/certs/convergys_root_ca.pem
 
ldap_referrals = False
 
ldap_default_bind_dn = svc_icdial@emea.convergys.com
 
ldap_default_authtok_type = password
 
ldap_default_authtok = XXXXXXXX
 
ldap_search_base = dc=emea,dc=convergys,dc=com
 
ldap_schema = ad
 
ldap_id_mapping = True
 
debug_level = 0
 
 
 
ldap_tls_cacertdir = /etc/openldap/cacerts
 
autofs_provider = ldap
 
krb5_realm = CONVERGYS.COM
 
cache_credentials = True
 
[nss]
 
[pam]
 
[autofs]

/etc/security/user_map.conf :

itau6125: dbuser_dba

/etc/pam.d/mysql:

auth required pam_sss.so
 
account required pam_sss.so
 
auth required pam_user_map.so

/var/log/secure:

Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:auth): authentication success; logname= uid=27 euid=27 tty= ruser= rhost= user=itau6125
 
Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:account): Access denied for user dbuser_dba: 10 (User not known to the underlying authentication module)

Working config on all our 20+ RH 6 MariaDB servers using pam_ldap openldap openldap-clients pam-devel:

/etc/pam.d/mysql :

auth required pam_ldap.so
 
account required pam_ldap.so
 
auth required pam_user_map.so

/etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
 
TLS_CACERT /etc/ssl/certs/convergys_root_ca.pem

/etc/pam_ldap.conf :

tls_cacertfile /etc/ssl/certs/cert.pem
 
debug 1
 
base dc=convergys,dc=com
 
binddn XXXXXXXX
 
bindpw XXXXXXXX
 
uri ldaps://XXX.XX.convergys.com:3269
 
ssl yes
 
referrals no
 
pam_member_attribute member
 
pam_login_attribute sAMAccountName
 
pam_filter objectclass=User
 
pam_password ad


yum install pam_ldap openldap openldap-clients pam-devel
 
mkdir -p /usr/src/mariadb-map-plugin
 
cd /usr/src/mariadb-map-plugin
 
wget https://raw.githubusercontent.com/MariaDB/server/10.1/plugin/auth_pam/mapper/pam_user_map.c
 
gcc pam_user_map.c -shared -lpam -fPIC -o pam_user_map.so
 
install --mode=0755 pam_user_map.so /lib64/security/

In mysql/MariaDB cli:

INSTALL SONAME 'auth_pam';
 
create user 'dbuser_dba'@'%' identified by 'XXX';
 
create user 'dbuser_dm'@'%' identified by 'XXX';
 
drop user ''@'%';
 
drop user ''@localhost;
 
FLUSH PRIVILEGES;
 
CREATE USER ''@'%' IDENTIFIED with pam as 'mysql';
 
FLUSH PRIVILEGES;
 
 
 
GRANT ALL ON *.* TO 'dbuser_dba'@'%' WITH GRANT OPTION;
 
GRANT SELECT ON asterisk.* TO 'dbuser_dm'@'%';
 
GRANT REPLICATION CLIENT  ON *.* TO 'dbuser_dm'@'%';
 
FLUSH PRIVILEGES;
 
GRANT PROXY ON 'dbuser_dba'@'%' to ''@'';
 
GRANT PROXY ON 'dbuser_dm'@'%' to ''@'';
 
FLUSH PRIVILEGES;



 Comments   
Comment by Geoff Montee (Inactive) [ 2020-03-27 ]

Does pam_user_map module work with RedHat 7, or does the module need to be updated?

Yes, the pam_user_map PAM module works on RHEL 7.

Your problem seems to be shown fairly clearly in the output of /var/log/secure:

Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:auth): authentication success; logname= uid=27 euid=27 tty= ruser= rhost= user=itau6125
 
Oct 24 09:24:48 localhost mysqld: pam_sss(mysql:account): Access denied for user dbuser_dba: 10 (User not known to the underlying authentication module)

You seem to be running into this issue:

https://mariadb.com/kb/en/user-and-group-mapping-with-pam/#pam-user-with-same-name-as-mapped-mariadb-user-must-exist

There are potential two ways to fix this:

  • Create a user named "dbuser_dba" in the backend pam_sss or pam_ldap authentication system.

OR

  • Change your PAM service configuration to one that does not verify the user account. For example, you could change the "account" configuration to use "pam_permit.so":

auth required pam_sss.so
 
auth required pam_user_map.so debug
 
account required pam_permit.so

Generated at Thu Feb 08 08:11:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.