Scenario / Questions

In our corporate environment long ago some wiz decided to put the user “mysql” into LDAP.

The account is disabled:

$ sudo su - mysql
This account is currently not available.

…but it’s id still exists:

$ id mysql
uid=2050913(mysql) gid=867(ENG) groups=867(ENG)

This makes mariadb installations fail on CentOS7 because /var/run/mariadb is created by a tmpfile rule which tries to assign the directory to be owned by mysql. But mysql doesn’t exist until LDAP/networking is up and running, and the mariadb install doesn’t create the mysql user because the user already exists in ldap.

Is there a way to locally force PAM (or something?) to ignore the user mysql in LDAP? Or rename the ldap mysql user to mysql_ldap?

Is my only workaround to manually add the entry in /etc/passwd? (Or change the mariadb config to use different username.) I’d rather have minimal changes to the config and systemd files that come from the rpm.

(And I don’t have high hopes of removing mysql from LDAP as that could break a lot of legacy infrastructure.)

I’ll be using ansible, btw, to implement the change.

Additional:

I’ve changed the title of the question:

I have found that if I do add the local “mysql” user that it works ok, unless I have files owned by the userid of the LDAP “mysql” user. If I ls -la the files, it then pollutes the nscd (or sssd) cache and “mysql” again resolves to the LDAP user. It seems what I really want is to somehow construct a PAM filter for accounts to make this LDAP “mysql” user disappear.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Here’s my final solution, coded in ansible:

- name: Disable ldap users                                                  
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_users value={{ filter_ldap_users | join(",") }}
  register: sssd_conf_users                                                   

- name: Disable ldap groups                                                 
  ini_file: dest=/etc/sssd/sssd.conf section='nss' 
            option=filter_groups value={{ filter_ldap_groups | join(",") }}
  register: sssd_conf_groups                                                  

- name: Restart SSSD                                                        
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  service: name=sssd state=restarted                                          

- name: Flush NSCD cache                                                    
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  shell: "for db in /var/db/nscd/*; do nscd -i $(basename $db); done"         

- name: Flush SSSD cache                                                     
  when: sssd_conf_users.changed or sssd_conf_groups.changed                   
  command: /usr/sbin/sss_cache -E        

Suggestion: 2

On PAM level:
All you need is to ignore a user in LDAP. So, set up the particular LDAP client you’re using, In CentOS it would be sssd, to use a custom LDAP UID/GID lookup fileters which will ignore the “mysql” record. On an existing system you will have to then clean sssd cache and restart it and the user will be gone. Reinstallation of mariadb will then create a local mysql user.

On package level:

Set up a custom Yum repo somewhere on the network that will include a package that contains a post-install script, fixing the mysql user problem. You’ll also have to put the mariadb package in that repo. Then, define a package group which will include that package and mariadb and install it.
Alternatively, you could rebuild the mariaDB package with an updated, more intelligent post-install script that will take care of the mysql user creation.

I’d go with A – B is somewhat obfuscated 🙂

Suggestion: 3

Here’s something I’m using currently as a workaround. I’ve added this to my kickstart file to run at %post — before I enable/setup LDAP:

# Install and de-install mariadb-server to create mysql
# user before LDAP is enabled.
yum -d1 -e1 -y install yum-plugin-remove-with-leaves mariadb-server
yum -d1 -e1 -y erase mariadb-server --remove-leaves

I was going to run the useradd manually from having read the mariadb-server spec file: http://pkgs.fedoraproject.org/cgit/mariadb.git/tree/mariadb.spec

%pre server
/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d %{mysqluserhome} -s /sbin/nologin \
  -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || :

…but I’m more comfortable taking it straight from installing the rpm.

I’m not completely satisfied with this as well because if I happen to find a file with the ldap “mysql” userid, the reverse lookup on the user id pollutes nscd or sssd with the wrong “mysql” user.

Suggestion: 4

I would actually suggest to add:

filter_users = mysql
filter_groups = mysql

To the [nss] section of sssd.conf instead of customizing the LDAP filter. It should do the same thing, except that when you use the LDAP filter way, the searches still hit the LDAP server, just don’t match.

In contrast, the filter_users/filter_groups would enter the mysql user into the negative cache of SSSD, which would return “Not found” directly from the NSS responder, without going to the sssd_be process and the LDAP server.

Suggestion: 5

If all you want to do is not resolve ldap users. Edit /etc/nsswitch.conf and for the user & group entries remove sssd (or ldap) entries. Then flush the nscd cache