MySQL 5.7 (RHEL6.6) 使用 AD 的 PAM 身份验证
MySQL 5.7 (RHEL6.6) PAM Authentication with AD
我正在使用可插入身份验证模块 (PAM) 在 MySQL(安装在 RHEL 6.6 上)上配置 AD 身份验证。
到目前为止,我的 AD 用户可以使用 AD 凭据登录 RHEL 框。但是当我尝试使用 PAM 插件登录到 MySQL 时,我收到了拒绝访问错误。 MySQL的PAM配置如下:
/etc/pam.d/mysql:
auth required pam_winbind.so
account required pam_winbind.so
当我检查 MySQL 错误日志时,我看到系统错误在方法 authenticate_pam() 中抛出。以下是 mysqld 日志:
entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql, MySQLUsers=mysql_ad], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
leaving auth_pam_next_token on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password ******** received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,administrator) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:269
**auth_pam_server:pam_authenticate rc=4
auth_pam_server: rc=4
PAM error: System error**
leaving auth_pam_server on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:441
2016-07-18T12:48:22.360536Z 122 [Note] Access denied for user 'administrator'@'localhost' (using password: YES)
根据上述 PAM 配置,PAM 使用 winbind 在 AD 中查找用户凭据并进行身份验证,这与在 Linux 框中对 AD 用户进行身份验证的过程相同。当我看到 winbind 日志时,我看到以下内容:
[2016/07/18 08:27:24.236701, 5] winbindd/winbindd_pam.c:1868(winbindd_dual_pam_auth)
Plain-text authentication for user CORPAD\administrator returned NT_STATUS_OK (PAM: 0)
这告诉我身份验证在 winbind 中工作正常,但是当 winbind returns 控制权返回到 PAM 时,出现了错误并引发了系统错误。
嗯,我想通了。
首先,我在 post - https://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog.
之后启用了 PAM 上的调试日志
当我这样做时,我发现每次我尝试进行身份验证时都会收到以下错误:
PAM audit_open() 失败:权限被拒绝
根本原因是 SELinux 正在强制执行。所以我禁用 SELinux 并重新启动系统,这解决了这个问题。我现在可以使用我的 AD 凭据登录到 Linux,然后使用 mysql 命令并验证到 mysql!
我正在使用可插入身份验证模块 (PAM) 在 MySQL(安装在 RHEL 6.6 上)上配置 AD 身份验证。
到目前为止,我的 AD 用户可以使用 AD 凭据登录 RHEL 框。但是当我尝试使用 PAM 插件登录到 MySQL 时,我收到了拒绝访问错误。 MySQL的PAM配置如下:
/etc/pam.d/mysql:
auth required pam_winbind.so
account required pam_winbind.so
当我检查 MySQL 错误日志时,我看到系统错误在方法 authenticate_pam() 中抛出。以下是 mysqld 日志:
entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql, MySQLUsers=mysql_ad], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
leaving auth_pam_next_token on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password ******** received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,administrator) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:269
**auth_pam_server:pam_authenticate rc=4
auth_pam_server: rc=4
PAM error: System error**
leaving auth_pam_server on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:441
2016-07-18T12:48:22.360536Z 122 [Note] Access denied for user 'administrator'@'localhost' (using password: YES)
根据上述 PAM 配置,PAM 使用 winbind 在 AD 中查找用户凭据并进行身份验证,这与在 Linux 框中对 AD 用户进行身份验证的过程相同。当我看到 winbind 日志时,我看到以下内容:
[2016/07/18 08:27:24.236701, 5] winbindd/winbindd_pam.c:1868(winbindd_dual_pam_auth)
Plain-text authentication for user CORPAD\administrator returned NT_STATUS_OK (PAM: 0)
这告诉我身份验证在 winbind 中工作正常,但是当 winbind returns 控制权返回到 PAM 时,出现了错误并引发了系统错误。
嗯,我想通了。
首先,我在 post - https://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog.
之后启用了 PAM 上的调试日志当我这样做时,我发现每次我尝试进行身份验证时都会收到以下错误: PAM audit_open() 失败:权限被拒绝
根本原因是 SELinux 正在强制执行。所以我禁用 SELinux 并重新启动系统,这解决了这个问题。我现在可以使用我的 AD 凭据登录到 Linux,然后使用 mysql 命令并验证到 mysql!