mariadb-secure-installation not working after source installation - mariadb-10.4

I builded MariaDB 10.4 using GitHub source on CentOS 8.
(https://mariadb.com/kb/en/get-build-and-test-latest-mariadb-the-lazy-way/)
But mariadb-secure-installation is not working.
There is no error when running it. But nothing works. For example, changing the root password or deleting an anonymous account does not work.
What should I check?
thank you.

I figured out why.
https://serverfault.com/a/897341
https://mariadb.com/kb/en/authentication-plugin-unix-socket/
In MariaDB 10.4.3 and later, the unix_socket authentication plugin is installed by default, so if you do not want it to be available by default on those versions, then you will need to disable it.
there are two solutions.
disable unix_socket authentication
# /etc/my.cnf.d/server.cnf
[mariadb]
...
unix_socket=OFF
# or
disable_unix_socket
...
set client to use TCP protocol
# /etc/my.cnf.d/client.cnf
[client]
protocol=tcp
or using '-h' option
# mysql -h 127.0.0.1 -u root -p

Related

MariaDB on HomeBrew: Enabling Network Access

I have just installed MariaDB 10.4 using Home Brew. I was finally able to set the root password, and I am now trying to enable network access.
I think have added the correct directive:
bind-address=0.0.0.0
The thing is, is it to the correct my.cnf? I have tried adding it to /usr/local/etc/my.cnf as well as to a my.cnf I found in various Cellar directories.
It doesn’t seem to work. I get the message
Host … is not allowed to connect to this MariaDB server
even when I try from the local machine.
Am I setting the directive in the wrong file, or is there something else I should be doing.
Check that your user have the privilege to access the database from remote by running:
SELECT User, Host FROM mysql.user
Check also that you don't have the skip_networking configuration property set.
Read also the following documentation page: Configuring MariaDB for Remote Client Access

How to set up remote access on a Mac?

I need to work remotely and need to connect to a company network from my work Mac over the internet. How do I set this up? I have looked at different software for example OpenVPN and Tunnelblick. But not sure how to go about it. Any suggestions? Advice?
If your work Mac has restricted firewall, and speed is your concern, you can try shadowsocks-libev to bypass the firewall, which is primarily designed to bypass GFW, and used by millions of sneaky users. It is so fast that no vpn can compete with it.
For your work device (server side)
brew install shadowsocks-libev
# ss-server and ss-local installed
# create a server with listening port 3333
# sudo may be required
ss-server -p 3333 -m chacha20 -k your_password -u
For you client (home device)
brew install shadowsocks-libev
# apt install shadowsocks-libev
# sudo may be required
ss-local -s WORK_IP -p 3333 -b 127.0.0.1 -l 1080 -k your_password -m chacha20 -u
This created socks5 proxy with 127.0.0.1:1080. Make sure "your_password", port "3333", encrypt method "chacha20" should be matched on both sides.
set your home deivce (client side) socks5 proxy as 127.0.0.1:1080. Done.
Test IP
# With proxy, this would show your work Mac's IP
curl -x socks5h://localhost:1080 ifconfig.co/json
# without proxy
curl ifconfig.co/json
As a client side, GUI version is also recommended for beginners. Open source Mobile Version is also available.
This is a demo only. For security reasons, do not contain any password in the command line. Use -c config.json instead.
You can try this: vpn client
You should ask your admins to set up a vpn account for you. After that you can connect with a vpn client( of your choosing your use barracuda) and the provided credentials. Hope to have helped.
Since you brought up OpenVPN and Tunnelblick I should probably point out that
Tunnelblick is a free, open source graphic user interface for OpenVPN on macOS
Therefore Tunnelblick is probably going to be your app of choice.
Again, since you clearly are looking at OpenVPN I should point out there are two editions in circulation at the moment: commercial and community. I don't see any reason why you should pick commercial edition as your setup seems to be pretty simple. You probably will end up with a checklist of following things to do:
set up an OpenVPN server in your company network (windows, linux, pc, mac, raspberry pi - range of supported platforms is very extensive)
on the server generate keys for your client(s) (or use pre-shared secret as described in quick start below)
write and securely transport .ovpn config files (you can embed keys in there for simplicity) over to your mac
import the .ovpnfile into your Tunnelblick and start
The official quick start guide is probably the best place to start quick.
There's a whole bunch of other things that you (or more likely, your workplace network admin) will have to sort out. Just to name a few: routing and NAT-ting, ip address/domain name for OpenVPN server, firewall rules on machines you connect to.
But covering it all here without knowing your specifics will be problematic.
You should use any-desk or VNC server for connect your machine remotely. it's easy to use.
Your problem is not what you need to do on your Mac. What you do on the Mac-side is only half of any viable solution.
What you need to find out is what ways of connecting to the "company network" are provided by the company? Is anyone able to connect to the company network from a non-Mac computer? Does the company have any IT staff? Or do you have auth/means of changing their network configuration?
First of all, what type of control do you need? If we're talking about files and stuff like that then you should run a SSH server on your mac. More about that here (stackoverflow.com\superuser.com) and here (apple.com).
Another way to do that is to run a Remote Control Software (for example, Team Viewer), but it's laggy and unstable.
I was in the same situation as you a few months earlier and used the Tunnelblick in the Mac OS, which worked perfectly fine.
Since you are going to connect to your company network, I suggest you configure a VPN server and client to do that. I have configured the OpenVPN community edition to do that. The steps are:-
Server side configuration
- Login to root - sudo su
- Install OpenVPN and Easy-RSA - apt-get install openvpn easy-rsa
- Copy the server.conf from samples to /etc/openvpn - gunzip -c
/usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz >
/etc/openvpn/server.conf
- Edit server.conf
- Check that Diffie-Hellman is set to 2048 - dh dh2048.pem
- Uncomment push "redirect-gateway def1 bypass-dhcp"
- Uncomment push "dhcp-option DNS 10.0.2.100" or put any other DNS
server you want - default settings is OpenDNS.
- Setup IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward
- Also, edit /etc/sysctl.conf, and set "net.ipv4.ip_forward=1" after
uncommenting the line. This is for persisting the ip forwarding when
you reboot.
- Setup ufw (Uncomplicated Firewall - this is a frontend to iptables)
- ufw allow ssh
- ufw allow 1194/udp
- Edit /etc/default/ufw and set DEFAULT_FORWARD_POLICY to ACCEPT.
- Edit /etc/ufw/before.rules and add the following lines near the top
*nat :POSTROUTING ACCEPT [0.0]
-A POSTROUTING -s 10.0.8.0/8 -o ens4 -j MASQUERADE COMMIT ufw enable
- Do a ufw status and check if the rules are setup properly
- Setup the RSA keys
- cp -r /usr/share/easy_rsa/ /etc/openvpn/
- mkdir /etc/openvpn/easy-rsa/keys
- Edit /etc/openvpn/easy-rsa/vars and change keys KEY_COUNTRY etc, and
KEY_NAME="server"
- Generate the Diffie-Hellman PEM file - openssl dhparam -out
/etc/openvpm/dh2048.pem 2048 cd /etc/openvpn/easy-rsa/
- . ./vars
- ./clean-all
- ./build-ca
- ./build-key-server server
- cd keys && cp server.crt server.key ca.crt /etc/openvpn
- At this point your /etc/openvpn should contain server.key,
server.crt, ca.crt and dh2048.pem
- Start OpenVPN - service openvpn start
- Generate client config
- Copy client config from samples - cp
/usr/share/doc/openvpn/examples/example-config-files/client.conf
~/client/client.ovpn
- Generate the client keys - cd /etc/openvpn/easy-rsa && ./build-key
client It will generate client.crt and client.key files.
- Copy client.crt, client.key, ca.crt to ~/client.
- Edit client.ovpn
- Edit the entry "remote my-server-1 1194" and put the
IP/Hostname of the VPN server in place of my-server-1.
- At the end, append "auth-user-pass"
- In a new line, add an opening tag <ca>.
- Append the contents of /etc/openvpn/ca.crt.
- Append a closing tag </ca>.
- Append opening tag <cert>.
- Append contents of client.crt.
- Append a closing tag </cert>.
- Append a opening tag <key>.
- Append contents of client.key.
- Append a closing tag </key>.
- Comment out keys "remote-cert-tls server" and "tls-auth ta.key 1"
- Uncomment "user nobody" and "group nogroup".
- Save the file and download to your Mac client securely.
Client side configuration
Download the OpenVPN MacOs client
(https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/).
Import the .ovpn file mentioned earlier.
Connect using this client.

PostgreSQL 9.2.4 - Desire to Change the Localhost Server Password in Mavericks & Databases

Currently PostgreSQL 9.2.4 is provided in OSX Mavericks. I have used the provided PostgreSQL since running Lion Server. When I started using it I was using a password that I now realize is not very secure.
I am having trouble finding the right command to do this. The user/role (I supposed) that is provided is _postgres. This is the password I would like to change. I attempted the command below but honestly I'm not sure what it is supposed to do. I thought that this would allow me to access the role/user.
psql -U _postgres -h localhost -W
Here is what happened when I attempted to execute this command.
xxxx:~ xxxx$ psql -U _postgres -h localhost -W
Password for user _postgres:
psql: FATAL: database "_postgres" does not exist
_postgres is the user for all my databases. I would like to change the password for _postgres. I'm not sure since the databases were created by _postgres that once I change that password if the password will work for the databases or if I will have to change the database passwords also.
All the solutions dealing with this reference directories that I do not have in Mavericks. When I used Lion and Mountain Lion I was able to go to the psql directory and find postgresql.conf and pg_hba.conf. I do a search on those files and do not find them.
Sidebar: I currently use PgAdmin3 for basic database maintenance. The Mac version of the software does not have an option for changing passwords that I can find. If there is another GUI software package that is more user friendly for accessing the provided PostgreSQL I would definitely like to try it. Every solution that suggests Homebrew is in the context of installing another version of PostgreSQL which is not what I want to do.
I need the correct terminal command(s) to do this or help on where to go to get the solution that will work with OS X Mavericks. The PostgreSQL documentation is a bit overwhelming and was not clear as to where to go and what to do regarding this.
Any help would be appreciated.
UPDATE 4/5 6:03 pm CDT
Here are the contents in /Library/Server/PostgreSQL/Data/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication _postgres trust
#host replication _postgres 127.0.0.1/32 trust
#host replication _postgres ::1/128 trust

OpenLDAP - Named user connection fails

I am trying to setup a basic ldap server/client scenario. I downloaded openldap for windows and installed it. I am starting the server successfully with the command,
slapd -d 1
I tried to use various clients (commandline, LDAP Browser, phpLDAPadmin) to connect and do a search, it works with 'anonymous access' but it fails every time I try the same with root user/password and says 'failed to connect to ldap://localhost:389'. Same thing works if i connect anonymously.
What could be the problem ?
Here's my slapd.conf
ucdata-path ./ucdata
include ./schema/core.schema
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
database bdb
suffix "dc=guessant,dc=org"
rootdn "cn=Manager,dc=guessant,dc=org"
rootpw secret
directory ./data
I am using Login DN as "cn=Manager,dc=guessant,dc=org" and password as "secret"
It has been fixed now .. problem was with PHP mcrypt and phpLdapAdmin. Apparantly there's an issue with PHP 5.2. and figured out that upgrading to 5.3 + or removing mcrypt usage, would fix it. I chose the later, for the timebeing atleast

postgresql: Why do I have to specify -h localhost when running psql?

psql mydb yields:
psql: could not connect to server: Permission denied
Is the server running locally and accepting
connections on Unix domain socket "/var/pgsql_socket/.s.PGSQL.5432"?
psql -h localhost mydb works just fine. pg_hba.conf looks like:
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
What up?
I had the exact same thing happen to me, presumably due to the conflicting version of psql (one from Lion, one from homebrew). While I still haven't been able to figure out how to make psql use the /tmp socket directory, I do have a work around.
Put the following in your .bashrc (or .zshrc, etc):
export PGHOST=/tmp
This sets the correct "host" back to the correct socket directory, without having to supply the -h flag
Probably psql and the server use a different location for the unix-domain socket.
( /var/pgsql_socket/ is a strange location) This can happen if you are mixing binaries from different packages.
Try to locate the socket ( /tmp/ is a good place to start) You can force psql to use a different directory by misusing the -h option:
psql -h /tmp/
It appears to be a reported defect.
This happened to me on OS X, and the problem was that /usr/bin/psql is what I was using, but postmaster was running from /Library/PostgreSQL/9.0. Using /Library/PostgreSQL/9.0/bin/psql (getting that into my PATH before all else) fixed the problem.
As other answers addressed other alternatives, I guess I could provide something about Mac OS X Server on Lion. I run into very similar issue - in my case even -h localhost didn't work as networking was disabled in PostregSQL which is by the way in many cases very good idea. The thing with Mac OS X Server is that it launches PostgreSQL server via launchd.
Some hints as you go around:
serveradmin service: postgres
launchd configuration file: /System/Library/LaunchDaemons/org.postgresql.postgres.plist
database folder: /var/pgsql
socket folder: /var/pgsql_socket
That configuration file overrides several configuration directives that can be found in postgresql.conf under database folder. Especially these two:
unix_socket_group
unix_socket_permissions
You can find that _postgres account is used to run the server and everything is also accessible if active user is member of _postgres group.
By running dscl . -read /Groups/_postgres GroupMembership you can see that by default that group has these members: _devicemgr _calendar _teamsserver _www
I guess you have two options. Add yourself to _postgres group or change launchd configuration plist file. The later is just plain text editing... But beware of security, because this way you'll be opening Server to whatever meets criteria you change (see the last paragraph).
The former can be done either via Server.app or via dscl command-line utility. The first option probably doesn't need anything to be added. Just make sure that you can see System Accounts (View -> Hide/Show System Accounts). I'm kind of CLI junkie so this should add your user to _postgres group:
sudo dscl . -append /Groups/_postgres GroupMembership $USER
Of course you should be careful what you run under your account then because you're giving access to you Mac OS X Server database back-end. So either secure you _postgres account or create separate user to manipulate your database or don't save anything private there.

Resources