Centrify, MariaDB, and PHPMyAdmin login troubles

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: 3 weeks ago
#1 of 4 417
Accepted Solution

Centrify, MariaDB, and PHPMyAdmin login troubles

We're using Centrify for SSO at our company and I'm trying to integrate a local mariadb install into AD through PAM and Centrify.  I can login using PAM/Centrify on the commandline ("mysql -u testuser").  But I get an error when I try to login to the same account using phpMyAdmin.

 

This is on a RHEL 7.6 box with mariadb-server-5.5.60-1.el7_5.x86_64.  Version of Centrify client is CentrifyDC-5.3.0-213.x86_64.

 

I can ssh using my AD account fine.  I initially set up maria and phpmyadmin with local maria accounts only and was able to successfully login from the command line (mysql -u testuser -p) and to the same user using phpmyadmin.

 

I then created the file /etc/pam.d/mysql with these contents:

auth include system-auth 

#account required pam_nologin.so 
account include system-auth 

password include system-auth 

#session optional pam_keyinit.so force revoke 
session include system-auth 
#session required pam_loginuid.so 

As you can see, I am only including existing items from system-auth that work fine with ssh.  I did have the other lines enabled but it seemed to make no difference either way.  I'll include the system-auth file at the bottom.

 

I deleted the maria user and recreated it using these commands:

CREATE USER testuser@localhost IDENTIFIED VIA pam;
GRANT ALL ON *.* TO testuser@localhost WITH GRANT OPTION;

(testuser is not the actual user I used - I used a real AD user).

 

I was able to log in using "mysql -u testuser" - it asked for a password and, boom, just like magic it worked.  Not so with phpMyAdmin.  Login fails there.  From the journal:

Log from "mysql -u testuser":
INFO  AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authentication granted|5|user=testuser(type:ad,testuser@OURDOMAIN.NET) pid=90504 utc=1548945372981 centrifyEventID=24100 status=GRANTED service=mysql tty=(none) client=(none)

Logs from unsuccessful phpmyadmin login:
ERROR <fd:26 mysqld(90504)> Unexpected error in conversation: (19)
INFO  AUDIT_TRAIL|Centrify Suite|PAM|1.0|101|PAM authentication denied|5|user=testuser(type:ad,testuser@OURDOMAIN.NET) pid=90504 utc=1548945469163 centrifyEventID=24101 status=DENIED service=mysql tty=(none) client=(none) reason=There's error in PAM Conversation

I turned on debug logging - didn't add much more info.  I mean, tons of lines but I think these are the relevant ones:

Successful attempt:
adclient[95540]: DEBUG <fd:10 mysqld(90504)> Prompt user for PAM_AUTHTOK: 'Password: '
adclient[95540]: DEBUG <fd:10 mysqld(90504)> Received PAM_AUTHTOK: PAM_SUCCESS(0)

Unsuccessful attempt:
adclient[95540]: DEBUG <fd:24 mysqld(90504)> Prompt user for PAM_AUTHTOK: 'Password: '
adclient[95540]: ERROR <fd:24 mysqld(90504)> Unexpected error in conversation: (19)
adclient[95540]: DEBUG <fd:24 mysqld(90504)> Received PAM_AUTHTOK: (19)

/etc/pam.d/system-auth:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
Participant II
Posts: 3
Registered: 3 weeks ago
#2 of 4 412

Re: Centrify, MariaDB, and PHPMyAdmin login troubles

Wow, this one was something else. I wrote a little php script to connect using mysqli_connect and received more informative error messages than what I was getting back from Centrify or phpMyAdmin.

PHP Warning:  mysqli_connect(): The server requested authentication method unknown to the client [dialog] in /root/config.php on line 6

Apparently, phpMyAdmin uses the mysqli_connect module and mysqli_connect doesn't understand the password prompt provided when mysql (or mariadb) uses the "dialog" plugin to talk to pam.

 

And I found a solution.  By adding "pam-use-cleartext-plugin" to "/etc/my.cnf.d/server.cnf", I made mysql use that plugin instead of dialog to talk to pam.  mysqli_connect liked it.  After restarting the mariadb service, my php script worked and I was able to login using my AD account to phpMyAdmin.

Participant II
Posts: 3
Registered: 3 weeks ago
#3 of 4 411

Re: Centrify, MariaDB, and PHPMyAdmin login troubles

One more thing - as its name implies the cleartext plugin is not encrypted.  In my case, I'm only connecting to localhost but, if you're connecting to a remote box, don't use this over http.  Make sure you're running it over TLS.

Centrify Guru I
Posts: 2,433
Registered: ‎07-26-2012
#4 of 4 229

Re: Centrify, MariaDB, and PHPMyAdmin login troubles

For historic reasons, here's an additional comment.

 

Both MySQL and MariaDB support different authetication patterns that can leaverage OS authentication using PAM, GSSAPI/Kerberos and other methods such as SASL.  Over the years, many folks have come to us with these types of questions and here are some relevant posts:

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: