Mariadb 10.4 with pam_winbind.so authentication. Getting ERROR 1045 (28000): Access denied ... (using password: NO)

Question

Mariadb 10.4 with pam_winbind.so authentication. Getting ERROR 1045 (28000): Access denied ... (using password: NO)

I am currently trying to setup authentication in Mariadb against Samba Active Directory using pam_winbind plugin in Ubuntu 20.04. And I am getting the following error:

step@gray:~$ mysql -u user1 -pUser1111  
ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: NO)

even though the logs in /var/log/auth.log indicate that:

Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): [pamh: 0x55eaf66992a0] ENTER: pam_sm_authenticate (flags: 0x0000)    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): getting password (0x00000001)    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): Verify user 'user1'    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): request wbcLogonUser succeeded    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): user 'user1' granted access    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): Returned user was 'EDMX\user1'    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:auth): [pamh: 0x55eaf66992a0] LEAVE:     pam_sm_authenticate returning 0 (PAM_SUCCESS)    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:account): [pamh: 0x55eaf66992a0] ENTER: pam_sm_acct_mgmt (flags: 0x0000)    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:account): user 'EDMX\user1' granted  access    
Jun 23 11:31:47 gray auth_pam_tool: pam_winbind(mariadb:account): [pamh: 0x55eaf66992a0] LEAVE: pam_sm_acct_mgmt returning 0 (PAM_SUCCESS)

Thus, it looks like pam_winbind is working fine and grants access.

My pam service file is presented below:

step@gray:/etc/mysql$ cat /etc/pam.d/mariadb
auth required pam_winbind.so debug
account required pam_winbind.so debug

And the DB user also seems to be created properly:

MariaDB [(none)]> SHOW CREATE USER 'user1'@'%';

+------------------------------------------------------------+    
| CREATE USER for user1@%                                    |    
+------------------------------------------------------------+    
| CREATE USER `user1`@`%` IDENTIFIED VIA pam USING 'mariadb' |    
+------------------------------------------------------------+

I have also tried to create another user identified by pam_unix, and haven't got any problems with that.

Mariadb version is: Server version: 10.4.13-MariaDB-1:10.4.13+maria~focal-log mariadb.org binary distribution

mysql

active-directory

mariadb

database-administration

pam

asked on Stack Overflow Jun 24, 2020 by

step

1 Answer

After some debugging and experimentation I have partially solved the problem by myself. So, instead of simple "user1" username, I should have created "EDMX\user1" in the database and logged in with:

mysql -u EDMX\\user1 -p

answered on Stack Overflow Jun 26, 2020 by

step

User contributions licensed under CC BY-SA 3.0