Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2049

Kerberos authentication not working or not clearly documented

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.12
    • Fix Version/s: 2.2.16
    • Component/s: Authenticator
    • Labels:
      None

      Description

      User KERB_A can connect using gssapi to a backend server SRV1.

      When trying to connect KERB_A (kerberos user) via MaxScale to a backend server SRV1, this error happens:

       
      2018-08-30 15:02:53 error : (15) GSSAPI Major Error: Unspecified GSS failure. Minor code may provide more information
      2018-08-30 15:02:53 error : (15) GSSAPI Minor Error: No Kerberos credentials available (default cache: KEYRING:persistent:997)
      

      Starting MaxScale process with user KERB_A and then connecting to SRV1 via MaxScale with the same user KERB_A, authentication succeeds.

      When trying to use another kerberos user KERB_B to connect to SRV1 via MaxScale this error happens:

      Sep 13 13:09:37 server_x maxscale[154147]: (9) [mariadbbackend] Invalid authentication message from backend 'NODE_2_KERBEROS'. Error code: 1045, Msg : #28000GSSAPI name mismatch, requested 'KERB_B@DOMAIN', actual name 'KERB_A@DOMAIN'
      

      Documentation has been followed but it's not clear what's wrong.

      How does GSSAPI work?

      Does MaxScale process user need to be a kerberos user?

      If so, why when connecting with another user I get the above error of user mismatch?

        Attachments

          Activity

            People

            • Assignee:
              markus makela markus makela
              Reporter:
              claudio.nanni Claudio Nanni
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: