Centrify PAM Authentication fails with 'Failed to set user credentials'
Hi,
MySQL PAM Authentication using AD (Centrify Dc) fails with 'Failed to set user credentials'. OS authentication is successful and MySQL user has been created. Below is the environment details and debug info, please assist:
Linux: CentOS release 6.2 (Final)
MySQL version: 5.6.15-enterprise-commercial-advanced
[root@centos01 pam.d]# rpm -qa | grep -i centrify
CentrifyDC-5.1.2-378.x86_64
CentrifyDC-krb5-5.1.0-512.x86_64
CentrifyDC-openssh-6.2p2-5.1.2.370.x86_64
[root@centos01 pam.d]# adinfo
Local host name: centos01
Joined to domain: company.local
Joined as: centos01.company.local
Pre-win2K name: centos01
Current DC: win2008-ad.company.local
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2014-01-27 15:07:57 SAST
CentrifyDC mode: connected
Licensed Features: Enabled
[root@centos01 pam.d]# cat /etc/pam.d/mysql
auth include password-auth
account include password-auth
MySQL Debug info:
entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[], out=[mysql]
leaving auth_pam_next_token on /pb2/build/sb_0-10831761-1384711536.02/rpm/BUILD/mysqlcom-pro-5.6.15/mysqlcom-pro-5.6.15/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password password.123 received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,user3) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on /pb2/build/sb_0-10831761-1384711536.02/rpm/BUILD/mysqlcom-pro-5.6.15/mysqlcom-pro-5.6.15/plugin/pam-authentication-plugin/src/authentication_pam.c:269
auth_pam_server:pam_authenticate rc=0
auth_pam_server:pam_acct_mgmt rc=0
auth_pam_server:pam_setcred(PAM_ESTABLISH_CRED) rc=17
auth_pam_server: rc=17
PAM error: Failure setting user credentials
leaving auth_pam_server on /pb2/build/sb_0-10831761-1384711536.02/rpm/BUILD/mysqlcom-pro-5.6.15/mysqlcom-pro-5.6.15/plugin/pam-authentication-plugin/src/authentication_pam.c:441
Centrify Debug info:
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> Set credentials for user 'user3'
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> No pam_getenv(KRB5CCNAME)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> No getenv(KRB5CCNAME)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > daemon.ipcclient2 executing request 'PAMCreateKrb5Creds' in thread 139895070783232
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > daemon.ipcclient2 Creating krb5 credentials cache for user 'user3'
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > adclient.pam.util Creating CimsContext
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > adclient.pam.util username user3, presented: , effective: , unix: unknown
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > base.adagent Find GUID: 02b920d5f1518640a7c90001787fb231 (7)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > base.objecthelper age 0, expire age 600, cutoff time 0, refresh 5, negative=false, cacheOps 7
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 PAMCreateKrb5Creds > daemon.ipcclient2 request 'PAMCreateKrb5Creds' complete
Jan 27 20:21:20 centos01 adclient[1159]: INFO <fd:18 mysqld(2076)> Set credentials for user 'user3': Client is not authorized for this operation
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> -> SendATProxySetAuditTrailEvent
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> AuditTrailEvent: Centrify Suite PAM 201 0.0 (null) user3 <userSid> (null) 2076
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> UTF8STRING: mysql
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> UTF8STRING: (none)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> UTF8STRING: localhost
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> UTF8STRING: Failed to set user credentials
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <main> util.threadpool Pool size 3/4, busy size 1/20
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 executing request 'ATProxySetAuditTrailEvent' in thread 139895070783232
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 AuditTrailEvent from proxy: Centrify Suite PAM 201 0.0 user3 <userSid> 2076
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: mysql
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: (none)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: localhost
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: Failed to set user credentials
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > adclient.pam.util Creating CimsContext
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > adclient.pam.util username user3, presented: , effective: , unix: unknown
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > base.adagent Find GUID: 02b920d5f1518640a7c90001787fb231 (7)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > base.objecthelper age 0, expire age 600, cutoff time 0, refresh 5, negative=false, cacheOps 7
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > audittrail.internal No machine provided, use short local hostname centos01.
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > audittrail.internal No eventTime provided, use now time 1390846880.252017.
Jan 27 20:21:20 centos01 adclient[1159]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|201|PAM set credentials denied|5|user=user3(type:ad,user3@COMPANY.LOCAL) pid=2076 utc=1390846880252 status=DENIED service=mysql tty=(none) client=localhost reason=Failed to set user credentials
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:20 ATProxySetAuditTrailEvent > daemon.ipcclient2 request 'ATProxySetAuditTrailEvent' complete
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> <- SendATProxySetAuditTrailEvent, result=(1)
Jan 27 20:21:20 centos01 adclient[1159]: DEBUG <fd:18 mysqld(2076)> <- pam_sm_setcred, result=PAM_CRED_ERR(17)