Cant Connect through Socket Access Denied on mariadb 10.6 - sockets

When i check status mariadb socket with command : sudo systemctl status mariadb.socket
then the result is :
mariadb.socket - MariaDB 10.6.12 database server (socket activation)
Loaded: loaded (/lib/systemd/system/mariadb.socket; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/mariadb.socket.d
└─mariadb.socket.conf
Active: failed (Result: resources)
Docs: man:mariadbd(8)
https://mariadb.com/kb/en/library/systemd/
man:mariadbd(8)
https://mariadb.com/kb/en/library/systemd/
Listen: #mariadb (Stream)
/run/mysqld/mysqld.sock (Stream)
[::]:3306 (Stream)
#mariadb (Stream)
/run/mysqld/mysqld.sock (Stream)
[::]:3306 (Stream)
systemd[1]: mariadb.socket: Socket service mariadb.service already active, refusing.
systemd[1]: Failed to listen on MariaDB 10.6.12 database server (socket activation).
and i have make a user to connect via socket with command :
GRANT ALL PRIVILEGES ON *.* TO `xuserbackup`#`localhost` IDENTIFIED VIA unix_socket WITH GRANT OPTION;
but when i connect through socket :
mysql -uxuserbackup --protocol=socket -S /run/mysqld/mysqld.sock
the result is alaways : ERROR 1698 (28000): Access denied for user 'xuserbackup'#'localhost'

When specifying unix_socket authentication method, the user will be authenticated via system credentials.
For that the server retrieves the uid of the process which connected to the socket. With the uid server reads the name of the system user (in your case, the user which executed the command line client).
Once it has the system user name, it will authenticate the connecting user as the MariaDB account that has the same user name.
That means the user xuserbackup must be defined as a system user too and the user xuserbackup must execute the command line client.
Example:
georg#beethoven:~$ mariadb -ugeorg -e"select 'connected'\G"
*************************** 1. row ***************************
connected: connected
This will not work, since the root user is executing the command line client:
georg#beethoven:~$ sudo ~/mariadb/bin/mysql -ugeorg -e"select 'connected'\G"
ERROR 1698 (28000): Access denied for user 'georg'#'localhost'
Addendum: socket authentication only works if the hostname is localhost. If you don't specify a hostname localhost will be used by default. If you specify 127.0.0.1 the client will attempt to connect on port 3306 instead of using unix_socket.

Related

How to connect VS code to a Linux VPS server?

Debian 11
I can login into cmd .
I added ssh key to VM so my ssh prompt doesn't require password.
still shows
Could not establish connection to "server IP". listen EADDRNOTAVAlL: address not available 127.0.0.1
Tried connect with root and password and IP but only for cmd but not vs code
More bug information:
[02:40:59.055] listen EADDRNOTAVAIL: address not available 127.0.0.1
[02:40:59.057] Resolver error: Error: listen EADDRNOTAVAIL: address not available 127.0.0.1
at g.ServerInstallError (c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:584081)
at h (c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:577310)
at t.handleInstallOutput (c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:581290)
at t.tryInstall (c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:680758)
at async c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:643114
at async t.withShowDetailsEvent (c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:646432)
at async t.resolve (c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:644164)
at async c:\Users\chenr5-INS\.vscode\extensions\ms-vscode-remote.remote-ssh-0.96.0\out\extension.js:1:721750
[02:40:59.069] ------
Use Remote Development Extension
Which include:
Remote - SSH - Work with source code in any location by opening
folders on a remote machine/VM using SSH. Supports x86_64, ARMv7l
(AArch32), and ARMv8l (AArch64) glibc-based Linux, Windows 10/Server
(1803+), and macOS 10.14+ (Mojave) SSH hosts.

Authentication Issues (KRB5\GSS)

We are looking to migrate some systems away from MSSQL. We have our first few environments built and currently using LDAP, which is OK but has a good number of flaws.
I followed this link to setup Kreberos\GSS for the most part: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Off the bat I got the below error when trying to connect:
psql: error: SSPI continuation error: The specified target is unknown or unreachable
I believe the SPN is setup properly:
setspn -S POSTGRES/server.domain.local domain\service_account
I suspect something is wrong in the keytab file, as there is an extra "" between the server FQDN and domain:
Keytab name: FILE:/opt/pgsql/server.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 postgres#server.domain.local\#DOMAIN.LOCAL
Server side error:
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres FATAL: GSSAPI authentication failed for user "user#DOMAIN.LOCAL"
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres DETAIL: Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 gss"
I'd appreciate any feedback and thank you!

no pg_hba.conf entry for host / Connect call failed / Invalid data directory for cluster 12 main - Postgresql Ubuntu

I'm trying to move my bot to an Ubuntu virtual server from Vultr but it's having a problem connecting to the postgres database. I've tried editing the config from md5 to true, and host to local, etc. But those only give me different errors and also make it stop working on my original machine too. It's working perfectly fine on my Windows machine. Here is the error I'm facing:
asyncpg.exceptions.InvalidAuthorizationSpecificationError: no pg_hba.conf entry for host "[local]", user "postgres", database "xxx", SSL off
So I've tried to change this line:
async def create_db_pool():
bot.pg_con = await asyncpg.create_pool(database='xxx', user='postgres', password='???')
to this:
async def create_db_pool():
bot.pg_con = await asyncpg.create_pool(database='xxx', user='postgres', password='???', ssl=True)
and that gives me this error:
asyncpg.exceptions._base.InterfaceError: `ssl` parameter can only be enabled for TCP addresses, got a UNIX socket path: '/run/postgresql/.s.PGSQL.5432'
So I don't know what else to try. I've been stuck on this for a while. If it's relevant, it connects at the bottom of the bot.py file like this:
bot.loop.run_until_complete(create_db_pool())
Whether ssl is True or not, the database seems to still function on my Windows machine. But I can't get it to work on my Ubuntu virtual server.
If I edit my config to this:
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::/0 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
host replication all 0.0.0.0/0 md5
host replication all ::/0 md5
Then I get a call error like this:
OSError: Multiple exceptions: [Errno 111] Connect call failed ('::1', 5432, 0, 0), [Errno 111] Connect call failed ('127.0.0.1', 5432)
This is really driving me crazy. I have no idea what to do. I bought this virtual server to host my bot on but I can't even get it to connect to the database.
When I simply type psql in the terminal, I get this error:
Error: Invalid data directory for cluster 12 main
Postgres is not working as intended in basically any way. I'm using Vultr.com to host the Ubuntu server, if that matters. And connecting with PuTTy.
Your pg_hba.conf has multiple syntax errors. The "localhost" connection type is not allowed at all, and the "local" connection type does not accept an IP address field. The server would refuse to start/restart with the file you show, and if you try to reload a running server it will just keep using the previous settings.
LOG: invalid connection type "localhost"
CONTEXT: line 4 of configuration file "/home/jjanes/pgsql/data/pg_hba.conf"
LOG: invalid authentication method "127.0.0.1/32"
CONTEXT: line 5 of configuration file "/home/jjanes/pgsql/data/pg_hba.conf"
LOG: invalid authentication method "::1/128"
CONTEXT: line 9 of configuration file "/home/jjanes/pgsql/data/pg_hba.conf"
LOG: invalid connection type "localhost"
CONTEXT: line 10 of configuration file "/home/jjanes/pgsql/data/pg_hba.conf"
LOG: invalid authentication method "127.0.0.1/32"
CONTEXT: line 102 of configuration file "/home/jjanes/pgsql/data/pg_hba.conf"
FATAL: could not load pg_hba.conf
LOG: database system is shut down

How to force CoTURN long term credentials validation from WebRTC Flutter application?

I use this example of Flutter data channel to connect my Android app to my CoTURN server on my local network. The CoTURN logs show that the Android app connects successfully to the CoTURN server but doesn't show any username. I would like to make sure that no access is possible to my CoTURN server while not using long term credentials.
The version of my CoTURN server is 4.5.1.1-1.1 on Debian Linux Stable (10 Buster). The lt-cred-mech is already set in the CoTURN server configuration while no-auth is not set (it is commented). I am using verbose to check the logs. I have a user created in my MySQL database for long term credentials. It is verified using this command on the secured port:
turnutils_uclient -p 5349 -u myuser -w mypassword 192.168.188.28
It leads to the following in the coturn logs:
1992: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:58256
1992: session 002000000000000002: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
1992: IPv4. Local relay addr: 192.168.188.28:64632
1992: IPv4. Local reserved relay addr: 192.168.188.28:64633
1992: session 002000000000000002: new, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
1992: session 002000000000000002: refreshed, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet REFRESH processed, success
...
2007: session 003000000000000003: delete: realm=<myrealm>, username=<myuser>
2007: session 003000000000000003: peer 0.0.0.0:3481 deleted
2008: session 001000000000000008: usage: realm=<myrealm>, username=<myuser>, rp=13, rb=1360, sp=8, sb=768
2008: session 001000000000000008: closed (2nd stage), user <myuser> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.28:48266, reason: allocation timeout
2008: session 001000000000000008: delete: realm=<myrealm>, username=<myuser>
2008: session 001000000000000008: peer 0.0.0.0:3481 deleted
If I try the same command with an intentionally invalid user, I get the expected following results in the server logs:
2227: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:40431
2227: session 002000000000000003: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
2227: session 002000000000000003: realm <myrealm> user <myuserfaulty>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
...
So, this means that the credentials are indeed checked by the CoTURN server.
However, when I add credentials to the Flutter app as follows, I get server logs that don't seem to show any user. Worst, if the user is intentionally faulty, it changes nothing. Here is the portion of code adapted:
...
Map<String, dynamic> configuration = {
"iceServers": [
{"url": "stun:192.168.188.28:5349"},
{"username": "myuserfaulty"},
{"credential": "mypassword"},
]
};
...
Note that I guessed the username and credential entries in the configuration from the following files:
https://github.com/cloudwebrtc/flutter-webrtc/blob/master/ios/Classes/FlutterWebRTCPlugin.m
https://github.com/cloudwebrtc/flutter-webrtc/blob/master/android/src/main/java/com/cloudwebrtc/webrtc/FlutterWebRTCPlugin.java
Here are the CoTURN logs while using intentionally wrong credentials from Flutter:
2945: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
2945: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2955: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2965: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2975: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2985: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2995: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
3005: session 002000000000000004: usage: realm=<myrealm>, username=<>, rp=6, rb=120, sp=6, sb=528
3005: session 002000000000000004: closed (2nd stage), user <> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.31:58350, reason: allocation watchdog determined stale session state
3005: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
3005: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
3015: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
...
So, I have the following questions:
How can I make sure that my CoTURN server cannot be used without authorized long term credentials?
How come the Flutter app is not subject to the same credentials validation as the turnutils_uclient?
Did I guess correctly the way to specify the credentials in the Flutter app with the addition of the username and credential entries in the configuration?
With this configuration (lt-cred-mech), the TURN server cannot be used without authorized long term credentials. However, the STUN server never requires authentication.
The turnutils_uclient command requires authentication because it calls the TURN server. To make a STUN server test call, the turnutils_stunclient command can be used and no credentials can be given to it.
The format for long term authentication on TURN server in Flutter is described in a comment in this file:
https://github.com/cloudwebrtc/flutter-webrtc-demo/blob/master/lib/src/call_sample/signaling.dart
...
{
'url': 'turn:123.45.67.89:3478',
'username': 'change_to_real_user',
'credential': 'change_to_real_secret'
},
...
which shows that my attempts were wrong for two reasons:
The protocol must be set to turn instead of stun.
The configuration items must be in the same array.
After those corrections, I do get the username in the coturn server logs as shown below:
87055: session 000000000000000540: new, realm=<myrealm>, username=<myuser>, lifetime=600
87055: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
87065: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet BINDING processed, success
Note that the coturn server configuration can require authentication for the STUN binding request as well:
...
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
...

Java MongoDB Client: authentication failed when access to a server not configured to use an authentication

I have configured Java MongoDB Client to use MongoCredential.
Unfortunately when I access to a server that does not configured to use an authentication I get authentication failed exception:
Caused by: com.mongodb.MongoCommandException: Command failed with error 18: 'Authentication failed.' on server …. The full response is { "ok" : 0.0, "code" : 18, "errmsg" : "Authentication failed." }
I do expect this exception when a server is configured to use an authentication and when Java MongoDB Client but not in this case.
Is it possible to configure Java MongoDB Client not to fail when access to a server not configured to use an authentication?
I am afraid not, your client does not know whether the server has auth enabed or not.
Your client connection code should match the auth parameters from the server, otherwise it fails.
What I did in this case, was to create a connection function which accepts auth credentials, when credentials are passed, used them - create the connection with auth credentials, otherwise no - create the connection with no auth credentials.
In this case, you should know what server has auth enabled