Mysql – Can only execute thesqladmin as root account created with unix socket, all other accounts fail

mariadbMySQLmysqladmin

I have a new install of MariaDB 10.2.27 on RHEL7. Our security scans have flagged the root account, so we have modified the name to orgdba, assigning all of the applicable privileges. I have not encountered any issues, except with mysqladmin. I know I have my password correct as I can connect via mysql using it. It is only erroring on mysqladmin. I ended up creating a root account specifically to execute mysqladmin commands. I cannot execute with that account either. It is not until I create the root account using the Unix Socket plugin that I can successfully execute mysqladmin commands. I cannot find anything in any documentation that expands on this topic. I have no idea if this is a bug in the version of MariaDB that I am using. Does anyone have any insight?

Error connecting to mysqladmin:

root@db01 $ mysqladmin -uorgdba -p status
Enter password:
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'orgdba'@'localhost' (using password: YES)'


root@db01 $ mysqladmin -u orgdba -p status
Enter password:
mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'orgdba'@'localhost' (using password: YES)'

Same user/same password, successfully connects to mysql:

root@db01 $ mysql -u orgdba -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 52347
Server version: 10.2.27-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

Any insight on this, or additional documentation on mysqladmin, would be appreciated.

Best Answer

I have finally figured this out. I have SSL enabled, which I may have not mentioned in my original post. When I added the --ssl-ca parameter to the connection string, I was able to connect.

mysqladmin -u orgdba --ssl-ca=/etc/mysql/ssl/ca-cert.pem -p status

now returns the status as expected.

Hopefully this helps someone out in the future.

Related Solutions

Thesqladmin not taking inline password

Command line arguments are subject to interpretation by the system's command shell, changing the behavior of the command or changing the value of the arguments before they are passed into the called program.

When an argument (such as the value for --password) contains an character that the shell may interpret, they need to be either quoted (usually enclosed in single quotes ' in unix or double quote " in Windows) or escaped individually (usually with a backslash \ before each metacharacter) to avoid interpretation by the shell.

While the specific characters are system-specific, some characters to watch out for include:

$ & ! \ [ ] < > `

If the password, for a really bad example, were set to pa$$word ...

mysql --password=pa$$word     # does not work
mysql --password='pa$$word'   # works
mysql --password=pa\$\$word   # works, but slightly unclear what's going on at first glance

Further reading:

Update: to escape either ' single or " double quotes in the password, you can either escape them with a leading backslash, or enclose the entire argument in the opposite style of quotes if there are no other characters that the chosen style of quoting isn't compatible with.

mysql --password="like'this" # password has a single quote in the middle
mysql --password='like"this' # password with a double quote in the middle

If you have a single quote and other special characters as well, you're stuck with backslash escaping because, in unix, the double quote is "weaker" than a single quote and many metacharacters are still expanded when enclosed in double quotes but not single quotes.

This is not MySQL-specific but applies to anything with command line arguments.

You can typically use the echo command to see how the shell is interpreting your arguments.

$ echo foo$bar 
foo                # literal 'foo' plus the (empty) shell variable $bar

$ echo foo\$bar
foo$bar            # backslash prevents expansion of $bar as a variable

$ echo "foo$$bar"  # weaker double quote doesn't prevent expansion so
foo9691bar         # the $$ expands to the unix process id (pid) of the current shell

$ echo 'foo$$bar'
foo$$bar           # "stronger" single quote prevents shell expansion

$ echo "foo'bar"
foo'bar            # double quote allows single quote within the literal

Follow-up: The bash shell (and presumably some others) allows escaping single quotes within single-quoted strings, though the convention is bizarre (probably based on some long-forgotten decision lost now to the mists of time):

Replace each ' inside the string with '\'' before wrapping the entire string in single quotes... so the literal string foo'bar is expressed as 'foo'\''bar'.

Like I said, bizarre. This is needed because a backslash escapes a single quote outside of a single quoted string, a backslash escapes nothing inside a single-quoted string in bash, and single quoted strings can be closed and reopened by multiple single quotes as long as there are no unescaped intervening characters that have special meaning. So '\'' closes the quoting of the string, then supplies the escaped literal, then reopens the quoting of the string.

MySQL login after secure installation

You most likely have a .my.cnf file in your home directory, which is specifying a password.

The clue here is that when you did not specify a password (sudo -u root), the error message is still saying that you did.

Best Answer

Related Solutions

Thesqladmin not taking inline password

MySQL login after secure installation

Related Question