Question

Проверка подлинности прокси-сервера MySQL PAM из Windows Client

Я пытаюсь объединить проверку подлинности прокси с пользователями прокси.

https://blog.pythian.com/authenticating-mysql-8-0-enterprise-active-directory/ https://dev.mysql.com/doc/refman/8.0/en/pam-pluggable-authentication.html

[patrick@lnx-mysql8 ~]$ id karen
uid=985601345(karen) gid=985600513(domain users) groups=985600513(domain users),1003(kgroup)

CREATE USER 'karen'@'%'
  IDENTIFIED WITH authentication_pam
  AS 'mysql,kgroup=app';


GRANT PROXY ON 'app'@'localhost' TO 'karen'@'%';
GRANT SELECT ON app.* TO 'karen'@'%';

Все нормально, если я подключаюсь с сервера Linux.

[patrick@lnx-mysql8 ~]$ mysql -u karen -p --enable-cleartext-plugin
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 27
Server version: 8.0.13-commercial MySQL Enterprise Server - Commercial

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SELECT USER(), CURRENT_USER(), @@session.proxy_user;
+-----------------+----------------+----------------------+
| USER()          | CURRENT_USER() | @@session.proxy_user |
+-----------------+----------------+----------------------+
| karen@localhost | app@localhost  | 'karen'@'%'          |
+-----------------+----------------+----------------------+
1 row in set (0.00 sec)

mysql>

Однако, когда я подключаюсь с компьютера с Windows, он не работает.

[patrick@WIN-CLIENT] C:\Program Files\MySQL\MySQL Server 8.0\bin> mysql -u karen -h lnx-mysql8 --enable-cleartext-p
lugin -p
Enter password: ***********
ERROR 1045 (28000): Access denied for user 'karen'@'WIN-CLIENT.windows.domain' (using password: YES)
[patrick@WIN-CLIENT] C:\Program Files\MySQL\MySQL Server 8.0\bin>

Пароль правильный, и трассировка, похоже, указывает на то, что PAM принимает пароль и разрешает соединение, но все равно я получаю сообщение об ошибке.

entering auth_pam_server
entering auth_pam_next_token
auth_pam_next_token:reading at [mysql,kgroup=app], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[mysql,kgroup=app], out=[]
auth_pam_next_token:state=IDENT, ptr=[mysql,kgroup=app], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[,kgroup=app], out=[mysql]
auth_pam_next_token:state=DELIMITER, ptr=[,kgroup=app], out=[mysql]
auth_pam_next_token:state=DONE, ptr=[,kgroup=app], out=[mysql]
leaving auth_pam_next_token on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:178
auth_pam_server:password password123 received
auth_pam_server:pam_start rc=0
auth_pam_server:pam_set_item(PAM_RUSER,karen) rc=0
auth_pam_server:pam_set_item(PAM_RHOST,WIN-CLIENT.windows.domain) rc=0
entering auth_pam_server_conv
auth_pam_server_conv:PAM_PROMPT_ECHO_OFF [Password: ] received
leaving auth_pam_server_conv on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:253
auth_pam_server:pam_authenticate rc=0
auth_pam_server:pam_acct_mgmt rc=0
auth_pam_server:pam_setcred(PAM_ESTABLISH_CRED) rc=0
auth_pam_server:pam_get_item rc=0
auth_pam_server:pam_setcred(PAM_DELETE_CRED) rc=0
entering auth_pam_map_groups
entering auth_pam_walk_namevalue_list
auth_pam_walk_namevalue_list:reading at: [kgroup=app]
entering auth_pam_next_token
auth_pam_next_token:reading at [kgroup=app], sep=[=]
auth_pam_next_token:state=PRESPACE, ptr=[kgroup=app], out=[]
auth_pam_next_token:state=IDENT, ptr=[kgroup=app], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[=app], out=[kgroup]
auth_pam_next_token:state=DELIMITER, ptr=[=app], out=[kgroup]
auth_pam_next_token:state=DONE, ptr=[=app], out=[kgroup]
leaving auth_pam_next_token on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:178
auth_pam_walk_namevalue_list:name=[kgroup]
entering auth_pam_next_token
auth_pam_next_token:reading at [app], sep=[,]
auth_pam_next_token:state=PRESPACE, ptr=[app], out=[]
auth_pam_next_token:state=IDENT, ptr=[app], out=[]
auth_pam_next_token:state=AFTERSPACE, ptr=[], out=[app]
auth_pam_next_token:state=DELIMITER, ptr=[], out=[app]
auth_pam_next_token:state=DONE, ptr=[], out=[app]
leaving auth_pam_next_token on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:178
walk, &error_namevalue_list:value=[app]
entering auth_pam_map_group_to_user
auth_pam_map_group_to_user:pam_user=karen, name=kgroup, value=app
examining member karen
substitution was made to mysql user app
leaving auth_pam_map_group_to_user on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:121
auth_pam_walk_namevalue_list:found mapping
leaving auth_pam_walk_namevalue_list on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/parser.cc:248
auth_pam_walk_namevalue_list returned 0
leaving auth_pam_map_groups on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:173
auth_pam_server:authenticated_as=app
auth_pam_server: rc=0
leaving auth_pam_server on ../../../mysqlcom-8.0.13/plugin/pam-authentication-plugin/src/authentication_pam.cc:404

Есть идеи, как заставить это работать?

MySQL PAM с прокси-аутентификацией от клиента Windows

Пожалуйста, войдите или зарегистрируйтесь чтобы ответить на этот вопрос.

Ответы [ 0 ]

MySQL PAM с прокси-аутентификацией от клиента Windows

Пожалуйста, войдите или зарегистрируйтесь чтобы ответить на этот вопрос.

Ответы [ 0 ]

Похожие темы