I have the current setup:
SVR01:
Ubuntu Trusty, with Xen
VM01:
IP: 192.168.0.10
Ubuntu Trusty, with Apache2 + php modules
VM02:
IP: 192.168.0.11
Ubuntu Trusty, with mysql server
When I try connecting from VM01 (The apache server) to mysql on VM02, I get the "Access Denied for 'NewUser'#'192.168.0.10' (Using password: YES)" error.
I created the user using:
CREATE USER 'NewUser'#'192.168.0.10' IDENTIFIED BY 'password';
GRANT EXECUTE ON mydb.* TO 'NewUSer'#'192.168.0.10';
But, it will work if I create the user using the host wildcard:
CREATE USER 'NewUser'#'%' IDENTIFIED BY 'password';
GRANT EXECUTE ON mydb.* TO 'NewUSer'#'%';
Does anyone know why it won't work when I specify the host ip?
PS. I get the error when trying to connect either through the Mysql client, or through the PHP PDO.
Follow up questions:
Does the grant seem to work if you create a user with a 192.168.0.% wildcard host mask?
Run select user, host, password from mysql.user where user='NewUser' to ensure there's not another user#host you weren't aware of that might be getting picked up?
Does the Access denied messages in your error logs confirm the failed connection attempts are in fact coming from the IP you think it is? Some weirdness like this might pop up if you have multiple routes setup in a system that has multiple network interfaces or perhaps some VPN routes in the mix.
When attempting connections to VM02 are you using a literal IP address or a hostname? If the later are you sure this is resolving to the IP you think it is from VM01 (you can verify using ping or just the host command from the command line)
Run "show variables like 'init_connect';" on the root account you were creating the users with. If that value is not blank you will want to ensure the accounts of permissions required to execute whatever that value does hold.
Related
I'm doing a web project and im using wamppserver to take care of the server and database. And now I'm facing a problem, I have to share the project. So it would be useful if i could share the specific DB that I use in the project, so that other people can access from their machines and get all the data previously stored in the DB. Is it possible to do it? How?
If you need to grant access to other machines to one database on local mysql server, you need to do some things:
You need to open MySQL to network interface: Check my.cnf, and do this:
Comment the line skip-networking.
Change the line bind-address to hold your LAN IP address / WAN IP address (if the machine itself have the WAN IP) / 0.0.0.0 (for all IPv4 addresses of the machine) / :: (for all IPv4 and IPv6 addresses of the machine). After reconfigure, restart MySQL server.
Check / configure your firewall for port 3306 opened (You can configure firewall for accept connections only from the required IPs) (Configuration for doing this will depend on your firewall software).
Grant access to the user(s) from the IPs you will need.
You can give access to one user from all IPs, for doing this, execute command [1] on MySQL cli or phpmyadmin, with a user with SUPER privileges (usually root).
You can give access to one user from one IP. Execute command [2].
[1]: GRANT ALL PRIVILEGES ON database.* TO 'user'#'%' IDENTIFIED BY 'password';
[2]: GRANT ALL PRIVILEGES ON database.* TO 'user'#'host' IDENTIFIED BY 'password';
You need to replace database with the name of the database to give privileges, user with the username accessing, host with the IP address of the client accessing, and password, with the desired password.
You can also, repeat command [2] if you want the same username to have access from two different IPs for example. Also, you can use a combination of [1] and [2], using a host with this example format: #'192.168.0.%', for giving access to these user from all computers on the 192.168.0.0/24 network.
Also, you can give really fine privileges, for example, changing GRANT ALL PRIVILEGES with GRANT SELECT, INSERT, these user only can do SELECT and INSERT statements, but not UPDATE or DELETE ones for example. You can check MySQL doc or StackOverflow for more info about this.
I have a mysql database (v5.5.41) setup on a remote server and an application connects to the DB from another server to run some queries. It's been working fine but recently my DB server got a new IP address. My application can't connect to the DB anymore, the connection times out.
The application is using the DNS name of the server, not a hard-coded IP, so there shouldn't be a problem. In any case, if I run this from the application server:
mysql -u app_user -h mydb.myhost.com -p
then I get
ERROR 1045 (28000): Access denied for user 'app_user'#'xxx.xxx.xxx.xxx' (using password: YES)
If it was having trouble finding the new IP, then that command would probably just hang and timeout, so it seems to be an authentication issue. My password is definitely correct, but the application is using the same password as when the app was connecting successfully so it's not an issue of mistyping it.
I've tried deleting the user app_user from the database and re-creating, exactly as I did in the beginning:
CREATE USER 'app_user'#'xxx.xxx.xxx.xxx' IDENTIFIED BY 'mypassword';
GRANT SELECT ON mydb.* TO 'app_user'#'xxx.xxx.xxx.xxx' IDENTIFIED BY 'mypassword' REQUIRE SSL;
FLUSH PRIVILEGES;
I'm not sure if the DB server IP change is just a coincidence, and maybe there's some other issue.
The entry for app_user in select user, host from mysql.user shows the same IP address as in the Access Denied message above. For what it's worth, I tried changing the DB user host to * and got Host 'xxx.xxx.xxx.xxx' is not allowed to connect to this MySQL server.
Could this have something to do with SSL being required by connection attempts from this user?
The problem was related to the REQUIRE SSL in the privileges for my user. Without it, I could connect just fine. I got things working again by putting my client-cert.pem and client-key.pem files on the application server, updated my.cnf by adding:
ssl-cert = /path/to/client-cert.pem
ssl-key = /path/to/client-key.pem
...under the [client] section and restarted the mysql server.
However, I still don't understand why I was able to connect successfully before when I had done none of these things.
I have a created user in my MySQL database:
CREATE USER 'user'#'host' IDENTIFIED BY 'password';
I have granted that user full privileges:
GRANT ALL ON *.* to 'user'#'host';
Echoing the grant:
GRANT ALL PRIVILEGES ON *.* TO 'user'#'host' IDENTIFIED BY PASSWORD '*03FFC888F82E921D8CA360925A8F443CF326DE89'
I can connect from MySQL workbench using this login credential w/o any issues and execute queries. And it's running on the same machine the web application is running on. MySQL instance is running on another computer in the same local network.
However, when I try to use the same credentials from my web application running in Tomcat7 under Eclipse I receive the error. Please advise.
Note: As of last night, the web application was able to connect just fine. With nothing changing (that I am aware of - I am only one working on this), this morning I could not connect.
RESOLVED:
I added the user with grants using the IP address for the host for the local machine.
I am not sure what changed on the server, but now I am able to connect again.
Would someone possibly be able to explain this change, and with it why I am now required to use the IP address when previously the local host name was sufficient?
Make sure you are using the appropriate hostname, and you're accessing from that host, the user can't connect from another host.
To give permission you must put the password unencrypted.
Example
GRANT ALL PRIVILEGES ON test. * TO 'root' # 'localhost'
IDENTIFIED BY 'goodsecret';
Also must be the same password when you create the user.
Here How adding users to MySQL
Note: For more information on GRANT here is the documentation.
Hope this helps
First off, I did google this but sites are flooded with advice on how to deal with "host name is blocked" issues. (https://www.google.com/search?q=mysql+block+a+host). My issue is a little bit the opposite of that.
With me, I am running a MySQL database and no PHP is involved.
I need to block a certain host-name/IP address from connecting to my database, then I will unblock it. I am hoping there are 2 simple queries for this that I can execute on the MySQL database, I just can't seem to find it anywhere.
I can find the hostnames pretty easily by running the show processlist query and I know I can kill one process at a time, but so many new threads pop up that if I can just block all of them from a certain hostname, that would be ideal. Then I will unblock once I fix a few things.
You can use GRANT to give a non-privileged entry for a user connecting from a specific host, even if you have GRANTed privileges to a wildcard including that host. When authenticating, the most specific host match takes precedence.
For example, suppose you enabled a user to connect from a range of hosts on your local subnet:
mysql> GRANT ALL PRIVILEGES ON *.* TO 'user'#'192.168.56.%' IDENTIFIED BY 'xyzzy';
Then you could grant the minimal USAGE privilege, which is a synonym for "no privileges" for that user for one specific host within that subnet:
mysql> GRANT USAGE ON *.* TO 'user'#'192.168.56.110';
Subsequent attempts to connect from that host get this error:
$ mysql -uuser -pxyzzy
ERROR 1045 (28000): Access denied for user 'user'#'192.168.56.110' (using password: YES)
The reason this gets an error is that I did this grant for the user with no password. If I try to submit a password, this doesn't match the entry in the privileges table.
Even if the user tries to connect without using a password, he finds he has no access to anything.
$ mysql -uuser
mysql> USE mydatabase;
ERROR 1044 (42000): Access denied for user 'user'#'192.168.56.110' to database 'mydatabase'
You can undo the blocking:
mysql> DELETE FROM mysql.user WHERE host='192.168.56.110' AND user='user';
mysql> FLUSH PRIVILEGES;
And then the IP range will come back into effect, and the user will be able to connect from thathost again.
You can revoke privileges as mentioned above, but this will still allow a user to make a connection to your MySQL server - albeit this will prevent that user from authenticating. If you really want to block/allow connections to your MySQL server based on IP, use iptables.
Have you tried using MySQL Workbench?
You can simply remove ROLES for a specific User/Host from there.
I'm trying to connect to a remote host, dev, from my webserver. When I do this command from the webserve composer.domain.com: mysql -u username -ppassword -h dev.domain.com, I get an error after authenticating that says access denied for username#sports.domain.com.
sports.domain.com IS a valid vhost on the webserver, but it's one of 14, and it's not the primary host, nor the one the IP resolves to via DNS.
Any idea where I should look to figure out why MySQL thinks I'm coming from sports.domain.com instead of the expected composer.domain.com?
During creating the mysql user, it should be specified the host where the user is allowed to connect. By default it is localhost. Try to add other user account on the database server try the following:
CREATE USER 'username'#'%'
IDENTIFIED BY PASSWORD 'password';
OR
CREATE USER 'username'#'sports.domain.com'
IDENTIFIED BY PASSWORD 'password';
% - it means that all clients are allowed to connect using user account.