I want to set strong password for mysql root user. But there is a egg-hen problem. I have empty server. I salt it. The root password is empty (by default after install).
If I use
root:
mysql_user.present:
- name: root
- password: $ecur3h4x0r
- host: %
Then I would not be able to call any other mysql states because they would need the password. But the next time I do highstate this call would not work, because the state tries to connect with empty password.
Yeah, we're going to add a 'default_user' and 'default_pass' setting so you can handle this situation. It should be in 0.17.0
Just in case someone stumbles upon this question while starting to manage mysql with saltstack.
Here is how it works in the current salt version (salt 2015.5.0 (Lithium)).
Notice that the mysql_user.present-state is smart enough to try it without a password at first. In subsequent runs the state will use the root password to connect and realize that the password for root is in the right state.
root:
mysql_user.present:
- host: localhost
- password: s3cure_root_password
another_user:
mysql_user.present:
- host: localhost
- password: anoth3r_user_password
- connection_user: root
- connection_pass: s3cure_root_password
I'd like to note 2 things that worked for me in master / minion version '2019.2.0' under ubuntu 18.04:
One will be able to set the password of the user 'root' the first time with:
mysql_user.present:
- name: root
- host: localhost
- password: pillar['mysql']['mysqlrootpassword']
- connection_charset: utf8
- saltenv:
- LC_ALL: "en_US.utf8"
After that, the command will always succeed with User root#localhost is already present with the desired password regardless of the value of the root password.
MySql user root is only permitted to login if you use sudo or as root user
Related
I am trying build new server Fedora 37 but when I trying to use PamMysql /because logins from postfix are stored in DB/ it is not working
very strange is, that only one ask to saslauthd will stop and broke saslauthd
I am using standard PamMysql and Saslauthd
smtp.postfix in pam.d
auth required pam_mysql.so user=postfix passwd=xxxx host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=postfix passwd=xxxx host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
when I try only "testsaslauthd -u "yyy" -p "xxx" -s smtp"
It fails, stops Saslauthd and write me "size read failed"
Have anybody this error ?? on Fedora 37 ??
BTW: When I change SMTP.POSTFIX in PAM.D -> crypt=0 and write password to DB manually in cleartext - all works fine - but unusable, because of second one of mail - Dovecot is not able to authenticate cleartext passwords ;-)
I think, that problem will be in crypting of SASLAUTHD...because in Dovecot same logins are not problem...and on my older server is not problem too
BTW: I have built maybe 10 mailservers, same situation with no problems. but this is first on Fedora37
Context
Running MariaDb 10.6.7 on Windows 11. Trying to use mariabackup to do a partial backup of my database. Database, target backup folder and backup process all on the same PC.
Issue
In a batch file I have this:
cd C:\"Program Files\MariaDB 10.6\bin"
mariabackup --backup --target-dir='D:\OneDrive\Backups\MariaDb' --databases-exclude="*test" --user=root --password=myPasswordWithNoQuotes
Which keeps giving me the response:
Failed to connect to MariaDB server: Access denied for user 'root'#'localhost' (using password: YES)
Things I've checked
Running the batch file as administrator
root has full priviliges
Password is correct - checked by logging into root with MySQL Workbench and MySQLClient and HeidiSQL.
Question
How do I set access rights so that the backup can proceed?
When I changed the root password to something simple everything worked. So it looks like the issue was a special character in the password (a % character perhaps) or the way that the password parameter was formed in the mariabackup command.
I'm using a fresh installation of Debian Stretch, and installed PHP7 and MariaDB as recommended:
sudo apt-get install nginx mariadb-server mariadb-client php-mysqli php7.0-fpm php7.0-curl
Then using sudo mysql_secure_installation I followed the prompts to remove test users etc.
MariaDB seems to use unix_socket authentication (which is a new concept to me). I like how it restricts root access to sudoers and allows me to grant DB permissions to specific OS users.
However I'd prefer to assign individual user/passwords for each web application running on the server. They all run as www-data user on the system and I see no reason to let them share databases.
So I created a user for my first PHP script and granted access to a new database:
CREATE USER 'telemetry'#'localhost' IDENTIFIED BY 'yeah_toast';
UPDATE mysql.user SET plugin='mysql_native_password' WHERE user='telemetry';
GRANT ALL PRIVILEGES ON telemetry TO 'telemetry'#'localhost';
FLUSH PRIVILEGES;
But it refuses to let me connect from the application:
[error] 19336#19336: *20 FastCGI sent in stderr: "PHP message: PHP Warning: mysqli::real_connect(): (HY000/1045): Access denied for user 'telemetry'#'localhost' (using password: YES) in /path/to/database.inc.php on line 30
The credentials I'm using from the application are as follows:
Host: localhost (also tried 127.0.0.1)
Username: telemetry
Password: yeah_toast
Database: telemetry
I tried deleting and re-creating the username in case it was a password problem, and creating a user #'localhost' and #'%' but none seem to work. In fact when I log in using the same credentials from the command line without sudo it works great (mysql -utelemetry -p).
Am I missing a MariaDB configuration step here?
I am able to do following
install salt master, minion (using root user)
login in master machine and execute salt command to install java / tomcat into minion server
result : java/tomcat is installed via root user
What i want to do is
install java / tomcat in minion server by user name 'tomcatuser'
As per my understanding only way of doing this is if i install my minion via tomcatuser.
Is my understanding correct ?
Any other way ?
I think you mix up the saltstack controller and how it control the application configuration.
For salt master and minion to communicate, you need to start both services as root, to control most of the configuration process. Then from there on, you can specify the user and group for application deployment inside your sls configuration.
Now come to your Tomcat/java/whatever package, you can refer to the salt stack configuration, to specify your own user group of the configuration and even startup(with other modification). e.g.
Deploy foo configuration:
file.managed:
- name: /etc/foo.conf
- source:
- salt://foo.conf
- user: foo
- group: users
- mode: 644
Then to startup your tomcat, you can do the similar by using a crontab and specify the user you want (as long as it is not load under service port smaller than 1024) . Or you can check whether salt.states.tomcat is helpful to start the services : https://docs.saltstack.com/en/latest/ref/states/all/salt.states.tomcat.html
I am new to salt-ssh and I have gotten it to work successfully for setting up a remote system. However, I have a login issue that I don't know how to address. What is happening is that when I try to run the salt-ssh commands I have to fight with then initial login process before eventually it just works. I am looking to see if I can narrow down what is causing me to have to fight with login process.
I am using OS X to run my salt-ssh commands against an ubuntu vagrant vm.
I have added my root user's ssh key to the root user authorized_keys on the vagrant vm. I have verified that I can log into the system using ssh without any issues
sudo ssh root#192.168.33.10
Here are what my config files look like:
roster
managed:
host: 192.168.33.10
user: root
sudo: true
Saltfile
salt-ssh:
config_dir: /users/vmcilwain/projects/salt-ssh-rails
roster_file: /users/vmcilwain/projects/salt-ssh-rails/roster
log_file: /users/vmcilwain/projects/salt-ssh-rails/saltlog.txt
master
file_roots:
base:
- /users/vmcilwain/projects/salt-ssh-rails/states
pillar_roots:
base:
- /users/vmcilwain/projects/salt-ssh-rails/pillars
I run this command:
sudo salt-ssh -i '*' test.ping
I enter my local user's password and I get this output
Permission denied for host 192.168.33.10, do you want to deploy the salt-ssh key? (password required):
[Y/n]
This is where my fight is. If the vagrant vm has the ssh key for the user I am executing salt-ssh as, why am I being told that permission is denied? Especially when I verified I could ssh into the system without using salt-ssh.
Clicking yes prompts me for the remote root user's password, which I didn't set and don't necessarily want to since an ssh key should have worked.
I'm hoping someone can tell me the best way to setup connections between both systems so that I don't have to have this fight every time.
I needed to set the priv in my roster to the rsa key that I am using to connect to the remote host:
priv: /Users/vmcilwain/.ssh/id_rsa