来自Windows客户端的具有代理身份验证的MySQL PAM

时间:2019-01-12 08:56:40

标签: mysql authentication pam

Windows客户端中的MySQL PAM代理身份验证

我正在尝试将代理身份验证与代理用户结合起来。

https://blog.pythian.com/authenticating-mysql-8-0-enterprise-active-directory/ https://dev.mysql.com/doc/refman/8.0/en/pam-pluggable-authentication.html 

[patrick@lnx-mysql8 ~]$ id karen
uid=985601345(karen) gid=985600513(domain users) groups=985600513(domain users),1003(kgroup)

CREATE USER 'karen'@'%'
  IDENTIFIED WITH authentication_pam
  AS 'mysql,kgroup=app';


GRANT PROXY ON 'app'@'localhost' TO 'karen'@'%';
GRANT SELECT ON app.* TO 'karen'@'%';

如果我从Linux服务器连接,一切都很好。

[patrick@lnx-mysql8 ~]$ mysql -u karen -p --enable-cleartext-plugin
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 8.0.13-commercial MySQL Enterprise Server - Commercial

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT USER(), CURRENT_USER(), @@session.proxy_user;
+-----------------+----------------+----------------------+
| USER()          | CURRENT_USER() | @@session.proxy_user |
+-----------------+----------------+----------------------+
| karen@localhost | app@localhost  | 'karen'@'%'          |
+-----------------+----------------+----------------------+
1 row in set (0.00 sec)

mysql>

但是,当我从Windows计算机连接时,它不起作用。

[patrick@WIN-CLIENT] C:\Program Files\MySQL\MySQL Server 8.0\bin> mysql -u karen -h lnx-mysql8 --enable-cleartext-p
lugin -p
Enter password: ***********
ERROR 1045 (28000): Access denied for user 'karen'@'WIN-CLIENT.windows.domain' (using password: YES)
[patrick@WIN-CLIENT] C:\Program Files\MySQL\MySQL Server 8.0\bin>

密码正确,并且跟踪似乎表明PAM正在接受密码并允许连接,但是仍然收到错误消息。

entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql,kgroup=app], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql,kgroup=app], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql,kgroup=app], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[,kgroup=app], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[,kgroup=app], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[,kgroup=app], out=[mysql]
leaving auth_pam_next_token on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:178
auth_pam_server:password password123 received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,karen) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,WIN-CLIENT.windows.domain) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:253
auth_pam_server:pam_authenticate rc=0
auth_pam_server:pam_acct_mgmt rc=0
auth_pam_server:pam_setcred(PAM_ESTABLISH_CRED) rc=0
auth_pam_server:pam_get_item rc=0
auth_pam_server:pam_setcred(PAM_DELETE_CRED) rc=0
entering auth_pam_map_groups
entering auth_pam_walk_namevalue_list
auth_pam_walk_namevalue_list:reading at: [kgroup=app]
entering auth_pam_next_token
auth_pam_next_token:reading at [kgroup=app], sep=[=]
auth_pam_next_token:state=PRESPACE, ptr=[kgroup=app], out=[]
auth_pam_next_token:state=IDENT, ptr=[kgroup=app], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[=app], out=[kgroup]
auth_pam_next_token:state=DELIMITER, ptr=[=app], out=[kgroup]
auth_pam_next_token:state=DONE, ptr=[=app], out=[kgroup]
leaving auth_pam_next_token on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:178
auth_pam_walk_namevalue_list:name=[kgroup]
entering auth_pam_next_token
auth_pam_next_token:reading at [app], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[app], out=[]
auth_pam_next_token:state=IDENT, ptr=[app], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[], out=[app]
auth_pam_next_token:state=DELIMITER, ptr=[], out=[app]
auth_pam_next_token:state=DONE, ptr=[], out=[app]
leaving auth_pam_next_token on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:178
walk, &error_namevalue_list:value=[app]
entering auth_pam_map_group_to_user
auth_pam_map_group_to_user:pam_user=karen, name=kgroup, value=app
examining member karen
substitution was made to mysql user app
leaving auth_pam_map_group_to_user on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:121
auth_pam_walk_namevalue_list:found mapping
leaving auth_pam_walk_namevalue_list on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:248
auth_pam_walk_namevalue_list returned 0
leaving auth_pam_map_groups on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:173
auth_pam_server:authenticated_as=app
auth_pam_server: rc=0
leaving auth_pam_server on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:404

有什么想法可以使它正常工作吗?

0 个答案:

没有答案
相关问题
最新问题