Ad Widget

Collapse

[Zabbix 4.2.3] Access denied for user 'zabbix'@'localhost' error

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mmmmay
    Junior Member
    • Jun 2019
    • 15
    #1

    [Zabbix 4.2.3] Access denied for user 'zabbix'@'localhost' error

    Hi!

    I just installed zabbix to monitor mySQL databases. I tried out with localhost where I installed both zabbix server and mySQL community server.
    I have also created .my.cnf file under /var/lib/zabbix/
    Code:
    [root@BUMPOCV1 ~]# cat /var/lib/zabbix/.my.cnf
[mysql]
user=zabbix
password=Testing1!
host=localhost
[mysqladmin]
user=zabbix
password=Testing1!
host=localhost
    I can grab the value with the following command and I can also login to mysql from command line with no issue.
    Code:
    [root@BUMPOCV1 ~]# zabbix_agentd -t mysql.status[Com_begin]
mysql.status[Com_begin]                       [t|224019]
    but I am having the error below on both my zabbix frontend and when I use zabbix_get to troubleshoot.
    Code:
    [root@BUMPOCV1 ~]# zabbix_get -s 127.0.0.1 -k mysql.status[Com_begin]
ERROR 1045 (28000): Access denied for user 'zabbix'@'localhost' (using password: NO)
    My zabbix frontend can grab all other values except for those mySQL values and keeps showing that access denied error.
    I'm trying to solve for this issue for about 1 week plus with any possible solutions online. The error is still there and I'm running out of ideas.

    Someone please help! T_T
    Attached Files
    Tags: error, monitoring, mysql database, zabbix
    • Atsushi
      Senior Member
      • Aug 2013
      • 2028
      #2
      Have you enabled SELinux? If you have enabled SELinux, please set appropriate policy settings.
      For example, is it possible to access MySQL socket from Zabbix agent?
      Are Zabbix agents able to read files under /var/lib?

      Make sure that the access denied history is not output to the log file(/var/log/audit/audit.log).

        Comment

        • mmmmay
          Junior Member
          • Jun 2019
          • 15
          #3
          It wasn't working when SElinux is enabled so I disabled it and tried again. Still not working.
          I have tried changing mod to 777 for .my.cnf file and it does not work also.
          Could you advise me on how I can check if Zabbix Agent can access to MySQL socket and read files in /var/lib?


          I'm sorry, I'm quite new to Zabbix and Linux environment.

            Comment

            • Atsushi
              #3.1
              Atsushi commented
              18-06-2019, 05:52
              Editing a comment
              Did you reboot the OS after changing SELinux to disabled?
              After that, please check what is recorded in the log file. The keyword denied should be recorded.
            • mmmmay
              Junior Member
              • Jun 2019
              • 15
              #4
              Yes I did reboot. Now, when I checked back the /var/log/audit/audit.log file I found a few 'denied's.
              Does these have to do with the Access Denied errors? How can I fix these?

              Code:
              type=AVC msg=audit(1560182382.849:442): avc:  denied  { read } for  pid=36438 comm="mysqladmin" name="my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560182382.849:442): avc:  denied  { open } for  pid=36438 comm="mysqladmin" path="/etc/my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1560182382.849:442): arch=c000003e syscall=2 success=yes exit=3 a0=7ffd3fbe8020 a1=0 a2=1b6 a3=24 items=0 ppid=36437 pid=36438 auid=4294967295 uid=996 gid=995 euid=996 suid=996 fsuid=996 egid=995 sgid=995 fsgid=995 tty=(none) ses=4294967295 comm="mysqladmin" exe="/usr/bin/mysqladmin" subj=system_u:system_r:zabbix_agent_t:s0 key=(null)
type=AVC msg=audit(1560182382.850:443): avc:  denied  { connectto } for  pid=36438 comm="mysqladmin" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
...
type=AVC msg=audit(1560218494.138:595): avc:  denied  { connectto } for  pid=5522 comm="zabbix_server" path="/run/zabbix/zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=unix_stream_socket

                Comment

                • Atsushi
                  Senior Member
                  • Aug 2013
                  • 2028
                  #5
                  If this denied message is output even after rebooting, SELinux can not be disabled. Please execute the getenforce command. Is it output as Disabled as below?

                  Code:
                  # getenforce
Disabled
#
                  If not, recheck the contents set in /etc/selinux/config.

                    Comment

                    • mmmmay
                      Junior Member
                      • Jun 2019
                      • 15
                      #6
                      Yes, it is disabled. Shall I change to enforce again? Any other configs that i need to change?

                      Code:
                      [root@BUMPOCV1 ~]# getenforce
Disabled
[root@BUMPOCV1 ~]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     disabled - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of disabled.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

                        Comment

                        • mmmmay
                          Junior Member
                          • Jun 2019
                          • 15
                          #7
                          Zabbix Server cannot start if I change SELinux to enforcing mode. It can only start if I change to permissive.
                          But the denied errors are still there. How can I resolve those?

                          Code:
                          type=AVC msg=audit(1560849456.945:86): avc:  denied  { read } for  pid=2467 comm="mysql" name="my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560849456.945:86): avc:  denied  { open } for  pid=2467 comm="mysql" path="/etc/my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560849456.951:87): avc:  denied  { connectto } for  pid=2467 comm="mysql" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1560849572.999:116): avc:  denied  { connectto } for  pid=2421 comm="zabbix_server" path="/run/zabbix/zabbix_server_preprocessing.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1560849636.904:117): avc:  denied  { read } for  pid=2589 comm="mysqladmin" name="my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560849636.904:117): avc:  denied  { open } for  pid=2589 comm="mysqladmin" path="/etc/my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560849637.222:118): avc:  denied  { connectto } for  pid=2589 comm="mysqladmin" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1560849698.755:140): avc:  denied  { read } for  pid=2717 comm="mysql" name="my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560849698.755:140): avc:  denied  { open } for  pid=2717 comm="mysql" path="/etc/my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560849698.760:141): avc:  denied  { connectto } for  pid=2717 comm="mysql" path="/var/lib/mysql/mysql.sock" scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1560849754.860:149): avc:  denied  { connectto } for  pid=2418 comm="zabbix_server" path="/run/zabbix/zabbix_server_lld.sock" scontext=system_u:system_r:zabbix_t:s0 tcontext=system_u:system_r:zabbix_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1560850236.109:152): avc:  denied  { read } for  pid=3518 comm="mysqladmin" name="my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file
type=AVC msg=audit(1560850236.109:152): avc:  denied  { open } for  pid=3518 comm="mysqladmin" path="/etc/my.cnf" dev="dm-0" ino=533595 scontext=system_u:system_r:zabbix_agent_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file

                            Comment

                            • mmmmay
                              Junior Member
                              • Jun 2019
                              • 15
                              #8
                              OMG, IT WORKS NOW!!!

                              I found previous posts with similar problems and tried to follow what members have suggested.
                              I did the following.

                              1. Add the below contents into my.cnf file.
                              Code:
                              [root@BUMPOCV1 ~]# cat /etc/my.cnf
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/8.0/en/server-configuration-defaults.html
[B][client]
user=zabbix
password=Testing1!
port=3306[/B]

[mysqld]
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove the leading "# " to disable binary logging
# Binary logging captures changes between backups and is enabled by
# default. It's default setting is log_bin=binlog
# disable_log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
#
# Remove leading # to revert to previous value for default_authentication_plugin,
# this will increase compatibility with older clients. For background, see:
# https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin
#default-authentication-plugin=mysql_native_password
[B]bind-address=127.0.0.1
port=3306[/B]

datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock

[B]user=mysql[/B]
[B]#Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0[/B]

log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
                              2. Change group owner to zabbix and change mod to 640 for my.cnf file
                              Code:
                              [root@BUMPOCV1 etc]# ls -l my.cnf
-rw-r--r--. 1 root root 1453 Jun 19 16:33 my.cnf
[root@BUMPOCV1 etc]# chgrp zabbix my.cnf
[root@BUMPOCV1 etc]# chmod 640 my.cnf
[root@BUMPOCV1 etc]# ls -l my.cnf
-rw-r-----. 1 root zabbix 1453 Jun 19 16:33 my.cnf

                              3. Restart mysqld and zabbix-agent

                                Comment

                                Previous template Next
                                Working...