Percona PAM via AD/SSSD authentication

[George Chilumbu]

I have installed percona PAm plugin on my Percona server as shown below:

   

 mysql> show plugins;
    ...
    | auth_pam                      | ACTIVE   | AUTHENTICATION     | auth_pam.so        | GPL     |
    | auth_pam_compat               | ACTIVE   | AUTHENTICATION     | auth_pam_compat.so | GPL     |
    +-------------------------------+----------+--------------------+--------------------+---------+

And also have this configured:

  

  cat /etc/pam.d/mysqld
    auth required pam_sss.so
    account required pam_sss.so

I have a group on the AD server called "dba", and added an AD user 'john.d' in this group. So i would like to log into MySQL using Ad users e.g., john.d, who should also inherit all privileges granted to the "dba" group. Below is how this AD group, "dba", is a setup to allow its users access the Percona server:

   

CREATE USER ''@'' IDENTIFIED WITH auth_pam AS 'mysqld,dba=dbarole';
    CREATE USER 'dbarole'@'%' IDENTIFIED BY 'dbapass';
    GRANT ALL PRIVILEGES ON *.* TO 'dbarole'@'%';
    GRANT PROXY ON 'dbarole'@'%' TO ''@'';

When I log in into mysql as dbarole, everything works well with all granted privileges. But when i login as john.d, one of the AD users included into the "dba" AD group, this user does not inherit the privileges (ALL) granted to its group, but only has the USAGE privilege as shown below:

   

mysql> show grants;
    +-----------------------------------+
    | Grants for @                      |
    +-----------------------------------+
    | GRANT USAGE ON *.* TO ''@''       |
    | GRANT PROXY ON 'dba'@'%' TO ''@'' |
    +-----------------------------------+
    2 rows in set (0.00 sec)
   
    mysql> show databases;
    +--------------------+
    | Database           |
    +--------------------+
    | information_schema |
    +--------------------+
    1 row in set (0.01 sec)

My Question is, how can I get an AD user inherit privileges granted to their group in MySQL?