MySQL PAM Authentication with AD
Hi All,
I'm working on configuring AD authentication on MySQL (installed on Linux) using Pluggable Authentication Modules (PAM).
MySQL version is 5.7 and Linux version is RHEL 6.6.
So far, my AD users are able to login on the RHEL box using AD credentials. But when i try to login to MySQL using the PAM plugin, I'm getting the Access Denied error. The PAM configuration for MySQL is as follows:
/etc/pam.d/mysql:
auth required pam_winbind.so
account required pam_winbind.so
When I check the MySQL error logs, I see system error thrown in the method authenticate_pam(). Following are mysqld logs:
entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql, MySQLUsers=mysql_ad], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
leaving auth_pam_next_token on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password ******** received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,administrator) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:269
auth_pam_server:pam_authenticate rc=4
auth_pam_server: rc=4
PAM error: System error
leaving auth_pam_server on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:441
2016-07-18T12:48:22.360536Z 122 [Note] Access denied for user 'administrator'@'localhost' (using password: YES)
As per the above PAM configuration, PAM is using winbind to lookup the user credentials in AD and authenticate, which is the same process for authenticating AD users into the Linux box. And when I see the winbind logs, I see the following:
[2016/07/18 08:27:24.236701, 5] winbindd/winbindd_pam.c:1868(winbindd_dual_pam_auth)
Plain-text authentication for user CORPAD\administrator returned NT_STATUS_OK (PAM: 0)
This tells me that the authentication is working fine from winbind, but when winbind returns control back to PAM, something is failing and system error is thrown.
Any help is greatly appreciated.
Thank you.
Regards,
Suhail.