[#MDEV-17095] pam_user_map module throws syntax error if group name contains backslash

[MDEV-17095] pam_user_map module throws syntax error if group name contains backslash Created: 2018-08-29 Updated: 2020-08-25 Resolved: 2018-08-30
Status:	Closed
Project:	MariaDB Server
Component/s:	Plugin - pam
Affects Version/s:	10.2.17
Fix Version/s:	10.1.36

Type:

Bug

Priority:

Major

Reporter:

Geoff Montee (Inactive)

Assignee:

Alexey Botchkov

Resolution:

Fixed

Votes:

Labels:

authentication, pam, pam_user_map

Description

When using active directory, group names can have backslashes when specified in the "domain account format". See here for more information:

https://docs.microsoft.com/en-us/windows/desktop/ad/getting-the-domain-account-style-name-of-a-group

"getent group" on Linux is capable of interpreting backslashes in group names when AD is configured. For example, the following command properly gets the information about the AD group:

getent group mydomain\\my-dba-group

However, the pam_user_map module does not seem to support this format at the moment. If /etc/security/user_map.conf contains a line like the following:

@mydomain\\my-dba-group: mysqldba

Then the module would throw an error like the following:

Aug 28 17:22:02 ip-10-156-191-170 mysqld: pam_user_map(mysql:auth): Syntax error at /etc/security/user_map.conf:5

The same error is seen if only a single backslash is used in the group name. e.g.:

@mydomain\my-dba-group: mysqldba

The workaround is to set a default domain in the system's AD configuration.

Comments

Comment by Alexey Botchkov [ 2018-08-30 ]

http://lists.askmonty.org/pipermail/commits/2018-August/012851.html

Generated at Thu Feb 08 08:33:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-17095] pam_user_map module throws syntax error if group name contains backslash Created: 2018-08-29 Updated: 2020-08-25 Resolved: 2018-08-30