Centrify, MariaDB, and PHPMyAdmin login troubles
3 weeks ago
We're using Centrify for SSO at our company and I'm trying to integrate a local mariadb install into AD through PAM and Centrify. I can login using PAM/Centrify on the commandline ("mysql -u testuser"). But I get an error when I try to login to the same account using phpMyAdmin.
This is on a RHEL 7.6 box with mariadb-server-5.5.60-1.el7_5.x86_64. Version of Centrify client is CentrifyDC-5.3.0-213.x86_64.
I can ssh using my AD account fine. I initially set up maria and phpmyadmin with local maria accounts only and was able to successfully login from the command line (mysql -u testuser -p) and to the same user using phpmyadmin.
I then created the file /etc/pam.d/mysql with these contents:
auth include system-auth #account required pam_nologin.so account include system-auth password include system-auth #session optional pam_keyinit.so force revoke session include system-auth #session required pam_loginuid.so
As you can see, I am only including existing items from system-auth that work fine with ssh. I did have the other lines enabled but it seemed to make no difference either way. I'll include the system-auth file at the bottom.
I deleted the maria user and recreated it using these commands:
CREATE USER testuser@localhost IDENTIFIED VIA pam; GRANT ALL ON *.* TO testuser@localhost WITH GRANT OPTION;
(testuser is not the actual user I used - I used a real AD user).
I was able to log in using "mysql -u testuser" - it asked for a password and, boom, just like magic it worked. Not so with phpMyAdmin. Login fails there. From the journal:
Log from "mysql -u testuser": INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authentication granted|5|user=testuser(type:ad,testuser@OURDOMAIN.NET) pid=90504 utc=1548945372981 centrifyEventID=24100 status=GRANTED service=mysql tty=(none) client=(none) Logs from unsuccessful phpmyadmin login: ERROR <fd:26 mysqld(90504)> Unexpected error in conversation: (19) INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|101|PAM authentication denied|5|user=testuser(type:ad,testuser@OURDOMAIN.NET) pid=90504 utc=1548945469163 centrifyEventID=24101 status=DENIED service=mysql tty=(none) client=(none) reason=There's error in PAM Conversation
I turned on debug logging - didn't add much more info. I mean, tons of lines but I think these are the relevant ones:
Successful attempt: adclient: DEBUG <fd:10 mysqld(90504)> Prompt user for PAM_AUTHTOK: 'Password: ' adclient: DEBUG <fd:10 mysqld(90504)> Received PAM_AUTHTOK: PAM_SUCCESS(0) Unsuccessful attempt: adclient: DEBUG <fd:24 mysqld(90504)> Prompt user for PAM_AUTHTOK: 'Password: ' adclient: ERROR <fd:24 mysqld(90504)> Unexpected error in conversation: (19) adclient: DEBUG <fd:24 mysqld(90504)> Received PAM_AUTHTOK: (19)
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet_success auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Solved! Go to Solution.
3 weeks ago
Wow, this one was something else. I wrote a little php script to connect using mysqli_connect and received more informative error messages than what I was getting back from Centrify or phpMyAdmin.
PHP Warning: mysqli_connect(): The server requested authentication method unknown to the client [dialog] in /root/config.php on line 6
Apparently, phpMyAdmin uses the mysqli_connect module and mysqli_connect doesn't understand the password prompt provided when mysql (or mariadb) uses the "dialog" plugin to talk to pam.
And I found a solution. By adding "pam-use-cleartext-plugin" to "/etc/my.cnf.d/server.cnf", I made mysql use that plugin instead of dialog to talk to pam. mysqli_connect liked it. After restarting the mariadb service, my php script worked and I was able to login using my AD account to phpMyAdmin.
3 weeks ago
One more thing - as its name implies the cleartext plugin is not encrypted. In my case, I'm only connecting to localhost but, if you're connecting to a remote box, don't use this over http. Make sure you're running it over TLS.
2 weeks ago
For historic reasons, here's an additional comment.
Both MySQL and MariaDB support different authetication patterns that can leaverage OS authentication using PAM, GSSAPI/Kerberos and other methods such as SASL. Over the years, many folks have come to us with these types of questions and here are some relevant posts:
- KB - How to set up authentication with MySQL. https://centrify.force.com/support/Article/KB-2349-How-to-set-up-Centrify-authentication-with-MySQL