Details
-
Task
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
None
-
None
Description
I have setup MariaDB in Docker and trying to get it to work with GSSAPI. So far I can only get it to work by creating a user with the same username as my Windows user.
A custom Dockerfile is made to install the GSSAPI plugin like so:
FROM mariadb:10-jammy
|
|
|
RUN apt update -y
|
RUN apt install mariadb-plugin-gssapi-server -y
|
Otherwise the plugin is missing in the Docker container.
If I create a new user with the same username it works:
CREATE USER MIDU IDENTIFIED VIA gssapi |
However trying to use the `AS` option with `SID` or `GROUP` does not work. I'll get an error like this:
GSSAPI name mismatch, requested 'SID:WD', actual name 'MIDU@EXAMPLE.LOCAL'
|
So it's as if it's not checking the group permissions for the user.
I've been following the guide at https://mariadb.com/kb/en/authentication-plugin-gssapi
And testing have been done both in HeidiSQL and tried creating some demo code with the ODBC driver - both get the same errors.
Creating the everyone user as defined in the original issue (MDEV-23959) does not work either, but I've also tried my own combination of SID of group and group name without luck.
Neither of these work:
CREATE USER MIDU IDENTIFIED VIA gssapi as 'SID:S-1-5-21-3285602104-3108630777-907688344-10270' |
CREATE USER MIDU IDENTIFIED VIA gssapi as 'GROUP:Database-MariaDB-Admin' |
CREATE USER MIDU IDENTIFIED VIA gssapi as 'GROUP:example.local\\Database-MariaDB-Admin' |
Using another username for the MariaDB user doesn't change things either.
Attachments
Activity
Thanks for the quick response, that does make a lot of sense. It somehow didn't click for me that it meant for the server. I'm guessing it would be possible if there were LDAP integration? Since it might be able to do the lookup that way after validating Kerberos, but I'm guessing that is out of scope.
Thanks for the help.
For the group names, yes LDAP integration would help
But SIDs should already be here, packed into Kerberos ticket, in so-called PAC structure . See comment on https://mariadb.com/kb/en/the-community-is-chaining-upns-via-authentication_options-when-using-the-gs/+comments/4846#comment_4849 . Nobody investigated how to parse them in MariaDB, it might be outside gssapi and even standard Kerberos , but Samba people know more (https://wiki.samba.org/index.php/Kerberos_PAC)
| Field | Original Value | New Value |
|---|---|---|
| Priority | Major [ 3 ] | Minor [ 4 ] |
| Affects Version/s | 10.11.2 [ 28523 ] | |
| Environment | Docker using mariadb:10-jammy | |
| Issue Type | Bug [ 1 ] | Task [ 3 ] |
If you're following this guide, you'll find "Windows only" for SID and groups. That means Windows server-side. which your docker is not. For Windows, there is a documented API to get the SIDs and group membership. With MIT Kerberos, there is nothing like that.