I’m trying to authenticate mariadb against winbind in Sles 12 SP3. I’ve created a new pam.d entry for mysql:
:~> cat /etc/pam.d/mysql
#%PAM-1.0
account required pam_winbind.so use_first_pass
password sufficient pam_winbind.so
Originally I referenced common-account and common-password, but since I only want winbind accounts I copied just those entries
I’ve configured mariadb to load the auth_pam.so module, and it shows up as active:
:~> sudo cat /etc/my.cnf.d/default_plugins.cnf
[server]
#plugin-load-add=blackhole=ha_blackhole.so
#plugin-load-add=federated=ha_federated.so
#plugin-load-add=archive=ha_archive.so
[mysqld]
plugin-load-add=auth_pam.so
MariaDB [mysql]> show plugins;
±----------------------------±-------±-------------------±------------±--------+
| Name | Status | Type | Library | License |
±----------------------------±-------±-------------------±------------±--------+
| binlog | ACTIVE | STORAGE ENGINE | NULL | GPL |
| mysql_native_password | ACTIVE | AUTHENTICATION | NULL | GPL |
| mysql_old_password | ACTIVE | AUTHENTICATION | NULL | GPL |
…
| pam | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
±----------------------------±-------±-------------------±------------±--------+
44 rows in set (0.00 sec)
I’ve created a user that references the plugin:
MariaDB [mysql]> show grants for ‘mumble’@‘localhost’;
±---------------------------------------------------------------------------+
| Grants for mumble@localhost |
±---------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON . TO ‘mumble’@‘localhost’ IDENTIFIED VIA pam |
±---------------------------------------------------------------------------+
The user can log in via ssh, but not to mariadb:
:~> mysql -p
Enter password:
ERROR 1045 (28000): Access denied for user ‘mumble’@‘localhost’ (using password: NO)
I don’t know why it says “using password: NO” rather than “: YES”, as I am clearly referencing a valid user. I’ve tried it with the “via PAM” clause both uppercase and lowercase.
Can anyone give me any hints where I might be messing up?