The error ERROR 1524 (HY000): Plugin 'unix_socket' is not loaded appears when MariaDB tries to authenticate using the unix_socket authentication plugin but the plugin is either not installed or not enabled. This commonly happens on Debian and Ubuntu systems after a MariaDB upgrade, a manual change to the authentication plugin, or when the root account was configured for unix_socket authentication but the plugin was removed or failed to load.
This guide walks through multiple methods to fix this error on Debian and Ubuntu systems. The approach depends on your MariaDB version and how the authentication was originally configured. For MariaDB 10.4 and newer, the unix_socket plugin is the default authentication method for the root user – so the fix is slightly different from older versions.
Step 1: Understand the Error
MariaDB supports multiple authentication plugins. The two most common are:
- unix_socket – Authenticates based on the OS user running the client. If you are logged in as
rooton the system, MariaDB grants access to therootdatabase user without a password. This is the default since MariaDB 10.4. - mysql_native_password – Traditional password-based authentication. The client provides a password and MariaDB checks it against the stored hash.
The error occurs when a user account (typically root) has unix_socket set as its authentication plugin, but the plugin is not loaded in the server. This happens in a few scenarios:
- The
unix_socket.soplugin file was deleted or corrupted during an upgrade - The MariaDB server was compiled without the plugin
- A manual uninstall of the plugin while user accounts still depend on it
- Switching from a MariaDB version that had the plugin to one that does not
Check the current authentication plugin assigned to the root user. If you can still connect through any method, run this query:
SELECT user, host, plugin FROM mysql.user WHERE user='root';If the plugin column shows unix_socket, that confirms the account depends on the plugin that failed to load.
Step 2: Fix by Starting MariaDB in Safe Mode
The most reliable fix is to start MariaDB without authentication checks, then change the root user’s plugin. First, stop the running MariaDB service:
sudo systemctl stop mariadbStart MariaDB in safe mode with grant tables disabled. This lets you connect without any authentication:
sudo mysqld_safe --skip-grant-tables --skip-networking &The --skip-networking flag prevents remote connections while authentication is disabled – a security measure. Wait a few seconds for the server to start, then connect:
mysql -u rootYou should get a MariaDB prompt without any password prompt or authentication error.
Step 3: Switch Auth Plugin to mysql_native_password
Once connected to the MariaDB prompt in safe mode, flush the privileges table first to enable grant table operations:
FLUSH PRIVILEGES;Now switch the root user from unix_socket to mysql_native_password and set a password:
ALTER USER 'root'@'localhost' IDENTIFIED VIA mysql_native_password USING PASSWORD('YourStrongPassword');Flush privileges again to apply the changes:
FLUSH PRIVILEGES;
EXIT;Stop the safe mode instance and start MariaDB normally:
sudo kill $(pgrep -f mysqld_safe)
sudo kill $(pgrep -f mariadbd)
sudo systemctl start mariadbVerify the fix by logging in with the new password:
mysql -u root -pYou should get access after entering the password you set. Confirm the authentication plugin changed by running:
SELECT user, host, plugin FROM mysql.user WHERE user='root';The plugin column should now show mysql_native_password instead of unix_socket.
Step 4: Fix Using the debian-sys-maint Account
On Debian and Ubuntu, MariaDB creates a special maintenance account called debian-sys-maint. This account uses password-based authentication and its credentials are stored in /etc/mysql/debian.cnf. If the root account is locked out but the service is still running, this account provides a way in without restarting MariaDB.
Read the maintenance credentials from the config file:
sudo cat /etc/mysql/debian.cnfThe output shows the maintenance user’s password in the password field:
# Automatically generated for Debian scripts. DO NOT TOUCH!
[client]
host = localhost
user = debian-sys-maint
password = aBcDeFgHiJkLmNoP
socket = /run/mysqld/mysqld.sockConnect using those credentials:
mysql -u debian-sys-maint -pEnter the password from debian.cnf when prompted. Once connected, switch the root user to password-based authentication:
ALTER USER 'root'@'localhost' IDENTIFIED VIA mysql_native_password USING PASSWORD('YourStrongPassword');
FLUSH PRIVILEGES;
EXIT;This method avoids the need to restart MariaDB in safe mode, making it ideal for production systems where downtime is a concern.
Step 5: Fix for MariaDB 10.4+ Where unix_socket Is Default
Starting with MariaDB 10.4, the unix_socket plugin is installed by default and the root user uses it as the primary authentication method. In these versions, the error is less about a missing plugin and more about a corrupted plugin state or a broken installation.
If you are running MariaDB 10.4 or newer, first try reinstalling the plugin. Connect using the debian-sys-maint method from Step 4, or start in safe mode from Step 2, then run:
INSTALL SONAME 'auth_socket';If the plugin loads successfully, the root user should be able to authenticate again via unix_socket. Verify with:
SELECT plugin_name, plugin_status FROM information_schema.plugins WHERE plugin_name='unix_socket';The status should show ACTIVE. If the reinstall fails because the .so file is missing, you need to reinstall the MariaDB server package to restore it:
sudo apt reinstall mariadb-serverAfter reinstalling, restart the service and test root login:
sudo systemctl restart mariadb
sudo mariadbOn MariaDB 10.4+, the mariadb client command (as the system root user) should connect directly via the unix_socket plugin without a password. If you prefer password-based authentication instead, follow Step 3 to switch to mysql_native_password.
Step 6: Prevent the unix_socket Error in Future
A few best practices keep this error from recurring on your MariaDB installations on Ubuntu and Debian systems:
- Do not uninstall auth plugins manually – Before running
UNINSTALL SONAME 'auth_socket', check if any user accounts depend on the plugin. QuerySELECT user, host, plugin FROM mysql.user WHERE plugin='unix_socket'first. - Use a dedicated admin account – Instead of modifying root’s authentication, create a separate admin user with
mysql_native_passwordfor application connections. Keep root onunix_socketfor local system administration. - Back up user grants before upgrades – Run
mariadb-dump --system=users(MariaDB 10.5+) before any major upgrade to save all user accounts and their authentication settings. - Pin major versions – Avoid automatic major version jumps by pinning the MariaDB repository to a specific major version (e.g. 10.11 LTS or 11.4 LTS). This prevents unexpected authentication plugin changes during routine
apt upgraderuns. - Know your debian.cnf – Keep the
/etc/mysql/debian.cnfcredentials accessible. This file is your emergency backdoor when root authentication breaks. If you reset MariaDB root password, thedebian-sys-maintaccount remains functional.
To check which authentication plugins are currently loaded on your server:
SHOW PLUGINS WHERE name LIKE '%socket%' OR name LIKE '%password%';This shows both unix_socket and mysql_native_password plugin status. Both should show as ACTIVE for a healthy setup.
Conclusion
The ERROR 1524 (HY000): Plugin 'unix_socket' is not loaded is fixable through safe mode access, the debian-sys-maint account, or reinstalling the plugin. The quickest production fix is the debian-sys-maint approach since it requires no service restart. For MariaDB on Debian 10.4 and newer, reinstalling the plugin is often the cleanest solution since unix_socket is the intended default.
After fixing the error, consider setting up MariaDB replication for high availability and Prometheus monitoring for MariaDB to catch authentication issues early.
