MariaDB auth_pam.so plugin with winbind

SUSE Product Topics SLES Configure-Administer
1

I’m trying to authenticate mariadb against winbind in Sles 12 SP3. I’ve created a new pam.d entry for mysql:
:~> cat /etc/pam.d/mysql
#%PAM-1.0
account required pam_winbind.so use_first_pass
password sufficient pam_winbind.so

Originally I referenced common-account and common-password, but since I only want winbind accounts I copied just those entries

I’ve configured mariadb to load the auth_pam.so module, and it shows up as active:
:~> sudo cat /etc/my.cnf.d/default_plugins.cnf
[server]
#plugin-load-add=blackhole=ha_blackhole.so
#plugin-load-add=federated=ha_federated.so
#plugin-load-add=archive=ha_archive.so
[mysqld]
plugin-load-add=auth_pam.so
MariaDB [mysql]> show plugins;
±----------------------------±-------±-------------------±------------±--------+
| Name | Status | Type | Library | License |
±----------------------------±-------±-------------------±------------±--------+
| binlog | ACTIVE | STORAGE ENGINE | NULL | GPL |
| mysql_native_password | ACTIVE | AUTHENTICATION | NULL | GPL |
| mysql_old_password | ACTIVE | AUTHENTICATION | NULL | GPL |

| pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
±----------------------------±-------±-------------------±------------±--------+
44 rows in set (0.00 sec)

I’ve created a user that references the plugin:
MariaDB [mysql]> show grants for ‘mumble’@‘localhost’;
±---------------------------------------------------------------------------+
| Grants for mumble@localhost |
±---------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON . TO ‘mumble’@‘localhost’ IDENTIFIED VIA pam |
±---------------------------------------------------------------------------+

The user can log in via ssh, but not to mariadb:
:~> mysql -p
Enter password:
ERROR 1045 (28000): Access denied for user ‘mumble’@‘localhost’ (using password: NO)

I don’t know why it says “using password: NO” rather than “: YES”, as I am clearly referencing a valid user. I’ve tried it with the “via PAM” clause both uppercase and lowercase.

Can anyone give me any hints where I might be messing up?

2

Apparently, pam needs the auth and session stanzas as well.

cat /etc/pam.d/mysql
#%PAM-1.0
account required pam_winbind.so
auth required pam_winbind.so
session required pam_winbind.so
password required pam_winbind.so
mysql -p mrtg
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 12
Server version: 10.0.34-MariaDB SLE 12 SP1 package

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [mrtg]> quit
Bye