I'm working on configuring AD authentication on MySQL (installed on RHEL 6.6) using Pluggable Authentication Modules (PAM).
So far, my AD users are able to login on the RHEL box using AD credentials. But when i try to login to MySQL using the PAM plugin, I'm getting the Access Denied error. The PAM configuration for MySQL is as follows:
/etc/pam.d/mysql:
auth required pam_winbind.so
account required pam_winbind.so
When I check the MySQL error logs, I see system error thrown in the method authenticate_pam(). Following are mysqld logs:
entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql, MySQLUsers=mysql_ad], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql, MySQLUsers=mysql_ad], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[, MySQLUsers=mysql_ad], out=[mysql]
leaving auth_pam_next_token on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/parser.c:195
auth_pam_server:password ******** received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,administrator) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,localhost) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:269
**auth_pam_server:pam_authenticate rc=4
auth_pam_server: rc=4
PAM error: System error**
leaving auth_pam_server on /export/home/pb2/build/sb_0-19016729-1464156482.79/rpm/BUILD/mysqlcom-pro-5.7.13/mysqlcom-pro-5.7.13/plugin/pam-authentication-plugin/src/authentication_pam.c:441
2016-07-18T12:48:22.360536Z 122 [Note] Access denied for user 'administrator'@'localhost' (using password: YES)
As per the above PAM configuration, PAM is using winbind to lookup the user credentials in AD and authenticate, which is the same process for authenticating AD users into the Linux box. And when I see the winbind logs, I see the following:
[2016/07/18 08:27:24.236701, 5] winbindd/winbindd_pam.c:1868(winbindd_dual_pam_auth)
Plain-text authentication for user CORPAD\administrator returned NT_STATUS_OK (PAM: 0)
This tells me that the authentication is working fine from winbind, but when winbind returns control back to PAM, something is failing and system error is thrown.
Well, I figured it out.
First, I enabled the debug logs on PAM following this post - https://serverfault.com/questions/249671/switch-on-pam-debugging-to-syslog.
When I did that, I found that every time I tried to authenticate I was getting the following error: PAM audit_open() failed: Permission denied
The root cause of this was SELinux was enforcing. So I disabled SELinux and restarted the system, which fixed this issue. I'm now able to login to Linux using my AD credentials and then use the mysql command and authenticate to mysql as well!