[MDEV-26876] auth_pam does not work when config file is not named mysql Created: 2021-10-21  Updated: 2021-10-21

Status: Open
Project: MariaDB Server
Component/s: Plugin - pam
Affects Version/s: 10.5.12
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Marcel Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: pam
Environment:

SLES15 SP3


 Description   

After updating from 10.2.15 which came with an earlier version of SLES to 10.5.12, our PAM authentication stopped working without any error messages or warnings.

Our setup was using a config file called 'mariadb' in /etc/map.d/ and our users were created with "USING 'mariabd'"

After a lot of debugging and investigations, it appeared we had to rename the config file to 'mysql' and re-create our users without the "USING 'mariadb'" option.

After doing that, it started working again.

To further test this, we duplicated the config file, so we had two identical files: mariadb and mysql

/etc/pam.d/mariadb & /etc/pam.d/mysql:

auth required pam_ldap.so
 
auth required pam_warn.so
 
account required pam_ldap.so
 
account required pam_warn.so

(pam_warn.so can be removed, and does not affect the testing at all, it just logs to syslog)

We than re-created the user with the USING option, and tried to login.

> CREATE USER 'test'@'localhost' IDENTIFIED VIA pam USING 'mariadb';
 
> FLUSH PRIVILEGES;

No password is asked, and no errors logged:

# mysql -utest
 
ERROR 1045 (28000): Access denied for user 'test'@'localhost' (using password: NO)

Re-creating the user with mysql as the 'service' name:

> DROP USER 'test'@'localhost';
 
> CREATE USER 'test'@'localhost' IDENTIFIED VIA pam USING 'mysql';
 
> FLUSH PRIVILEGES;

Results in a password request and a successful login:

# mysql -utest
 
[mariadb] Password:
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.

more info:

> SELECT * FROM information_schema.PLUGINS where PLUGIN_NAME = 'pam'\G
 
*************************** 1. row ***************************
 
           PLUGIN_NAME: pam
 
        PLUGIN_VERSION: 2.0
 
         PLUGIN_STATUS: ACTIVE
 
           PLUGIN_TYPE: AUTHENTICATION
 
   PLUGIN_TYPE_VERSION: 2.2
 
        PLUGIN_LIBRARY: auth_pam.so
 
PLUGIN_LIBRARY_VERSION: 1.14
 
         PLUGIN_AUTHOR: MariaDB Corp
 
    PLUGIN_DESCRIPTION: PAM based authentication
 
        PLUGIN_LICENSE: GPL
 
           LOAD_OPTION: ON
 
       PLUGIN_MATURITY: Stable
 
   PLUGIN_AUTH_VERSION: 2.0
 
 
 
 
 
 
 
> SHOW PLUGINS SONAME LIKE '%pam%'\G
 
*************************** 1. row ***************************
 
   Name: pam
 
 Status: ACTIVE
 
   Type: AUTHENTICATION
 
Library: auth_pam.so
 
License: GPL
 
*************************** 2. row ***************************
 
   Name: pam
 
 Status: NOT INSTALLED
 
   Type: AUTHENTICATION
 
Library: auth_pam_v1.so
 
License: GPL
 
 
 
> SHOW GLOBAL VARIABLES LIKE 'pam%'\G
 
*************************** 1. row ***************************
 
Variable_name: pam_use_cleartext_plugin
 
        Value: OFF
 
*************************** 2. row ***************************
 
Variable_name: pam_winbind_workaround
 
        Value: OFF


Generated at Thu Feb 08 09:48:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.