On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with MDEV-23959 one can use e.g "SID:BA" in user definition to allow administrator only).
There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support.
auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET.
Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB.
Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi.
Note, that auth_gssapi and its client portion should be linked into the server and C client, to avoid different scenarios where plugin would not be found.
Also, create new user on installer, with user name of the person who installs the MSI package.
Also, root should authenticate successfully if member of Administrators group tries to connect via gssapi (on Windows, we support group membership).
The feature that was long ago made possible with Linux installations (possibly Debian, I'm not sure), for easy and secure passwordless connect . auth_gssapi won every Windows. It does not depend on Kerberos or named pipe. More people should be using it, really.
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with MDEV-23959 one can use e.g "SID:BA" in user definition to allow administrator only).
There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support.
auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET.
Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB.
Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi.
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with MDEV-23959 one can use e.g "SID:BA" in user definition to allow administrator only).
There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support.
auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET.
Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB.
Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi.
On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.
The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with MDEV-23959 one can use e.g "SID:BA" in user definition to allow administrator only).
There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support.
auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET.
Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB.
Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi.
Note, that auth_gssapi and its client portion should be linked into the server and C client, to avoid different scenarios where plugin would not be found.
Task
Critical
MDEV-32665 Faking non-existing user during authentication throws confusing "unknown authentication plugin"
