Details
-
Task
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Fixed
Description
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with MDEV-23959 one can use e.g "SID:BA" in user definition to allow administrator only).
There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support.
auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET.
Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB.
Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi.
Note, that auth_gssapi and its client portion should be linked into the server and C client, to avoid different scenarios where plugin would not be found.
Attachments
Issue Links
- is part of
-
-
- Closed
-
- relates to
-
MDEV-32665 Faking non-existing user during authentication throws confusing "unknown authentication plugin"
-
- Closed
-
Activity
| Field | Original Value | New Value |
|---|---|---|
| Workflow | MariaDB v3 [ 125723 ] | MariaDB v4 [ 131566 ] |
| Fix Version/s | 10.9 [ 26905 ] |
| Assignee | Vladislav Vaintroub [ wlad ] |
| Fix Version/s | 10.10 [ 27530 ] | |
| Fix Version/s | 10.9 [ 26905 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
| Summary | Windows - statically link gssapi plugin | Windows - passwordless login for root, for OS admin users |
| Description |
Also, create new user on installer, with user name of the person who installs the MSI package.
Also, root should authenticate successfully if member of Administrators group tries to connect via gssapi (on Windows, we support group membership). The feature that was long ago made possible with Linux installations (possibly Debian, I'm not sure), for easy and secure passwordless connect . auth_gssapi won every Windows. It does not depend on Kerberos or named pipe. More people should be using it, really. |
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support. auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET. Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB. Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi. |
| Description |
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support. auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET. Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB. Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi. |
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support. auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET. Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB. Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi. Note, that auth_gssapi and its client portion should be linked into the server and C client, to avoid different scenarios where plugin would not be found. |
| Summary | Windows - passwordless login for root, for OS admin users | Windows - passwordless login for mariadb root user, for OS admin users |
| Assignee | Vladislav Vaintroub [ wlad ] | Sergei Golubchik [ serg ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Sergei Golubchik [ serg ] | Vladislav Vaintroub [ wlad ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Fix Version/s | 10.11 [ 27614 ] | |
| Fix Version/s | 10.10 [ 27530 ] |
| Priority | Major [ 3 ] | Critical [ 2 ] |
| Status | Stalled [ 10000 ] | In Testing [ 10301 ] |
| Assignee | Vladislav Vaintroub [ wlad ] |
| Assignee | Lena Startseva [ JIRAUSER50478 ] |
| Link |
This issue is part of |
Testing is complete.
Result of check:
| Connector | Version | Support "auth_gssapi" | Comment |
|---|---|---|---|
| ODBC | 3.1.17-win64 |  |
Checked via the Libreoffice |
| Connector/J | 3.1.0-SNAPSHOT | |
There was a problem with auth_gssapi (in 3.0.8), resoved in 3.1.0-SNAPSHOT |
| Connector/C | 3.3.2-win64 | |
|
| Connector/C++ | 1.0.2-win64 | |
|
| MySqlConnector for .NET | 2.2.0-rc.2 (nuget package) | |
|
| mysql-connector-java | 8.0.30 |  |
Status : Failure -Test failed: Unable to load authentication plugin 'auth_gssapi_client' |
| mysqli | 8.1.12(php version) | |
PHP Fatal error: Uncaught mysqli_sql_exception: The server requested authentication method unknown to the client [auth_gssapi_client] |
| Assignee | Lena Startseva [ JIRAUSER50478 ] | Vladislav Vaintroub [ wlad ] |
| Status | In Testing [ 10301 ] | Stalled [ 10000 ] |
To clarify, both mysql-connector-java and mysqli will connect fine, as long as password is correct.
| issue.field.resolutiondate | 2022-11-08 14:35:56.0 | 2022-11-08 14:35:56.274 |
| Component/s | Authentication and Privilege System [ 13101 ] | |
| Component/s | Server [ 13907 ] | |
| Fix Version/s | 10.11.1 [ 28454 ] | |
| Fix Version/s | 10.11 [ 27614 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Labels | Preview_10.11 |
| Link |
This issue relates to |
Would be nice to know in course of testing
With normal installation (MSI), check how foreign (non-MariaDB) connectors behave, when connecting as user root with wrong password. Oracle's C, JDBC and .NET driver, could be used for this kind of testing.
The interesting part is how do foreign connectors react to switch authentication from mysql_native_authentication to auth_gssapi_client. Failure like "auth_gssapi_client plugin not found", that should be fine and expected. Hopefully those connectors won't crash in unforeseen ways.