As a way to work around the numerous pam bugs in MariaDB 10.4.6, I tried to copy the pam plugins from MariaDB 10.3.16. This does not work, and it fails instantly without even asking for a password.

For example, copy the plugin from the 10,3 to the 10.4 server:

scp  /usr/lib64/mysql/plugin/auth_pam.so 172.30.0.123:/tmp/

Then move the existing one on the 10.4 server:

sudo mv /usr/lib64/mysql/plugin/auth_pam.so /usr/lib64/mysql/plugin/auth_pam.so.original

And then install the one from 10.3:

sudo install /tmp/auth_pam.so /usr/lib64/mysql/plugin/

Create a Unix user account and set a password for the user:

sudo useradd alice

sudo passwd alice

Create the PAM service configuration:

sudo tee /etc/pam.d/mariadb <<EOF

auth required pam_unix.so audit

account required pam_unix.so audit

EOF

Then in MariaDB, install the plugin:

INSTALL SONAME 'auth_pam';

And then create the user account:

CREATE USER 'alice'@'localhost' IDENTIFIED VIA pam USING 'mariadb';

And then you need to do the /etc/shadow workaround for pam_unix:

sudo groupadd shadow

sudo usermod -a -G shadow mysql

sudo chown root:shadow /etc/shadow

sudo chmod g+r /etc/shadow

And then restart MariaDB:

sudo systemctl restart mariadb

And then, try to authenticate as the Unix account (while using the workaround for MDEV-19807):

$ mysql -u alice --plugin-dir=/usr/lib64/mysql/plugin

ERROR 1045 (28000): Access denied for user 'alice'@'localhost' (using password: NO)

Unlike in MDEV-19880, the syslog doesn't even show a failed password check.