MariaDB Active Directory身份验证

Question

我在使用AD验证MariaDB时遇到问题。

这是我到目前为止所做的：

1. 启用插件auth_pam

   MariaDB [(none)]> INSTALL SONAME 'auth_pam';
   
   MariaDB [(none)]> show plugins;
   +--------------------------------+----------+--------------------+-------------+---------+
   | Name                           | Status   | Type               | Library     | License |
   +--------------------------------+----------+--------------------+-------------+---------+
   | binlog                         | ACTIVE   | STORAGE ENGINE     | NULL        | GPL     |
   | pam                            | ACTIVE   | AUTHENTICATION     | auth_pam.so | GPL     |
   +--------------------------------+----------+--------------------+-------------+---------+
   43 rows in set (0.00 sec)
   

2. 使用AD中存在的用户名在数据库上创建用户

   MariaDB [mysql]> GRANT ALL ON *.* TO xyz IDENTIFIED WITH pam AS 'mariadb';
   Query OK, 0 rows affected (0.00 sec)
   
   MariaDB [mysql]> select user, password, host from user;
   +--------------+-------------------------------------------+------+
   | user         | password                                  | host |
   +--------------+-------------------------------------------+------+
   | root         | *1114CDA5E6E               8254812 | %    |
   | xyz          |                                           | %    |
   +--------------+-------------------------------------------+------+
   5 rows in set (0.00 sec)
   
   MariaDB [mysql]>
   

3. 接下来我创建了/etc/pam.d/mariadb

   #%PAM-1.0
   auth       include  system-auth
   account    include  system-auth
   password   substack system-auth
   -password   optional    pam_gnome_keyring.so use_authtok
   password   substack postlogin
   auth        sufficient    pam_krb5.so use_first_pass no_validate
   

4. 现在我使用AD

   登录计算机

   sh-4.2$ su xyz
   Password: 
   sh-4.2$ whoami
   xyz
   sh-4.2$
   

5. 最后尝试使用LDAP对MariaDB进行身份验证。在声称

   之前大约需要20秒

   sh-4.2$ mysql -u xyz --password=Tog4hP@ssw0rd
   ERROR 1045 (28000): Access denied for user 'xyz'@'localhost' (using password: NO)
   sh-4.2$ 
   

问题是，我用命令传递了密码。玛丽亚为什么抱怨(using password: NO)？

此外，我在tail /var/log/secure -f中看到了几行，我认为可能会有些亮点

    May 28 15:58:40 localhost mysqld: pam_unix(mariadb:auth): authentication failure; logname= uid=27 euid=27 tty= ruser= rhost=  user=xyz
    May 28 15:58:40 localhost mysqld: pam_krb5[3452]: error reading keytab 'FILE:/etc/krb5.keytab'
    May 28 15:58:40 localhost mysqld: pam_krb5[3452]: TGT verified
    May 28 15:58:40 localhost mysqld: pam_krb5[3452]: authentication succeeds for 'xyz' (xyz@******.**.ORG)

请帮忙吗？

Answer 1

有两个问题。

用户应使用VIA选项创建，而不是使用WITH

在上授予所有特权。以及＆＃39; dbversity＆＃39; @＆＃39;％＆＃39;已识别威盛 pam使用＆＃39; mariadb＆＃39;要求SSL;

其次，你的mariadb pam文件应如下所示。

  

[root@dbversity.com~] #cat /etc/pam.d/mariadb

     

auth required pam_krb5.so minimum_uid = 1000 no_user_check

     需要

帐户pam_krb5.so no_user_check

     

[root@dbversity.com~]＃