percona-pam-for-mysql

Document client plugin_dir setting

Bug #901242 reported by patlik lindqvist
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
percona-pam-for-mysql
Fix Released
Medium
Hrvoje Matijakovic
percona-pam-for-mysql percona-full-pam

Bug Description

plugin_dir is set in my.cnf
plugin_dir is set in mysqld_safe file

When 'show variable like 'plugin_dir' it shows the right dir

When echo from mysqld_safe on startup it got the right dir.

auth_pam.so is in the right plugin_dir

The plugin is loaded and active.

BUT when try to log in with user created with 'IDENTIFIED WITH auth_pam_server' i get error:
ERROR 2059 (HY000): Authentication plugin 'auth_pam' cannot be loaded: /usr/local/Percona-Server-5.5.17-rel22.1-197.Linux.x86_64/lib/plugin/auth_pam.so: cannot open shared object file: No such file or directory

So where does it get that location for the plugin dir??? The dir dosent exists.
The databas and pam plugin is from the binary release.

Tags: doc
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Thanks for the bug report.

Can you paste the relevant part of SHOW PLUGINS output, SELECT user,host,plugin,authentication_string FROM mysql.user WHERE user LIKE "your_pam_authenticated_user", and "ls -l" in your plugin directory?

Revision history for this message
patlik lindqvist (patrik-lindqvist) wrote :

Hi

Heres the stuff that you wanted (And some more:))

[root]# bin/mysql_config --plugindir
/db/test/server/lib/mysql/plugin

[root plugin]# ls -al
-rwxr-xr-x 1 root root 15546 Nov 19 09:47 auth_pam.so

TEST XtraDB (none)> INSTALL PLUGIN auth_pam_server SONAME 'auth_pam.so';
Query OK, 0 rows affected (0.03 sec)

TEST XtraDB (none)> show variables like 'plugin%';
+---------------+----------------------------------+
| Variable_name | Value |
 +---------------+----------------------------------+
| plugin_dir | /db/test/server/lib/mysql/plugin |
 +---------------+----------------------------------+

[root server]# ls -al /etc/pam.d/mysqld
-rw-r--r-- 1 root root 192 Dec 12 11:22 /etc/pam.d/mysqld

TEST XtraDB (none)> create user 'patlin'@'localhost' identified with auth_pam_server;
Query OK, 0 rows affected (0.01 sec)

[root server]# bin/mysql -upatlin -p
Enter password:
ERROR 2059 (HY000): Authentication plugin 'auth_pam' cannot be loaded: /usr/local/Percona-Server-5.5.13-rel20.4-138.Linux.x86_64/lib/plugin/auth_pam.so: cannot open shared object file: No such file or directory

TEST XtraDB (none)> SHOW PLUGINS;
+--------------------------------+----------+--------------------+-------------+---------+
| Name | Status | Type | Library | License |
 +--------------------------------+----------+--------------------+-------------+---------+
| auth_pam_server | ACTIVE | AUTHENTICATION | auth_pam.so | GPL |
 +--------------------------------+----------+--------------------+-------------+---------+

TEST XtraDB (none)> SELECT user,host,plugin,authentication_string FROM mysql.user WHERE user LIKE "patlin";
+--------+-----------+-----------------+-----------------------+
| user | host | plugin | authentication_string |
 +--------+-----------+-----------------+-----------------------+
| patlin | localhost | auth_pam_server | |
 +--------+-----------+-----------------+-----------------------+

Valentine Gostev (longbow)
Changed in percona-pam-for-mysql:
assignee: nobody → Valentine Gostev (longbow)
Revision history for this message
patlik lindqvist (patrik-lindqvist) wrote :

Hi

When we try to login with a account with auth_pam plugin in.

mysqld: pam_unix(mysqld:auth): conversation failed
mysqld: pam_unix(mysqld:auth): auth could not identify password for [<pamuser>]
mysqld: pam_warn(mysqld:auth): function=[pam_sm_authenticate] service=[mysqld] terminal=[<unknown>] user=[<pamuser>] ruser=[<pamuser>] rhost=[localhost]
mysqld: pam_unix(mysqld:auth): conversation failed
mysqld: pam_unix(mysqld:auth): unable to obtain a password
mysqld: pam_unix(mysqld:auth): auth could not identify password for [<pamuser>]
mysqld: pam_unix(mysqld:auth): conversation failed
mysqld: pam_unix(mysqld:auth): auth could not identify password for [<pamuser>]
mysqld: pam_warn(mysqld:auth): function=[pam_sm_authenticate] service=[mysqld] terminal=[<unknown>] user=[<pamuser>] ruser=[<pamuser>] rhost=[localhost]
mysqld: pam_unix(mysqld:auth): conversation failed
mysqld: pam_unix(mysqld:auth): unable to obtain a password
mysqld: pam_unix(mysqld:auth): auth could not identify password for [<pamuser>]

It can be understandable because we are runing with kerberos login and we don't have any passwords in the shadow file.

I also tryed to get kerberos working but I get this :

authentication fails for 'pamuser' (<email address hidden>): Authentication failure (Cannot read password)

and the pam mysqld conf file is like this:

#%PAM-1.0

auth sufficient /lib/security/$ISA/pam_krb5.so ignore_unknown_upn minimum_uid=5000

account required /lib/security/$ISA/pam_access.so

password required /lib/security/$ISA/pam_cracklib.so dcredit=-2 ucredit=-2 ocredit=-1 lcredit=0 minlen=18
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok

Have we missed something?

Revision history for this message
Kenny Gryp (gryp) wrote :

Your client has a wrong plugin_dir setting

please add:

[client]
plugin_dir='/db/test/server/lib/mysql/plugin'

This worked in my case

Laurynas Biveinis (laurynas-biveinis)
Changed in percona-pam-for-mysql:
status: New → Triaged
importance: Undecided → Medium
milestone: none → percona-full-pam
Revision history for this message
patlik lindqvist (patrik-lindqvist) wrote :

That was the missing piece. It works. No bugg.

Thanx
Patrik

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Thank you Patrik.

Changing this to be a documentation bug.

summary: - Cant get plugin_dir to be recognised when try to login
+ Document client plugin_dir setting
Laurynas Biveinis (laurynas-biveinis)
Changed in percona-pam-for-mysql:
assignee: Valentine Gostev (longbow) → Hrvoje Matijakovic (hrvojem)
Hrvoje Matijakovic (hrvojem)
Changed in percona-pam-for-mysql:
status: Triaged → In Progress
Hrvoje Matijakovic (hrvojem)
tags: added: doc
Hrvoje Matijakovic (hrvojem)
Changed in percona-pam-for-mysql:
status: In Progress → Fix Committed
Hrvoje Matijakovic (hrvojem)
Changed in percona-pam-for-mysql:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.