[MDEV-26715] Windows - passwordless login for mariadb root user, for OS admin users Created: 2021-09-28  Updated: 2023-11-02  Resolved: 2022-11-08

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Server
Fix Version/s: 10.11.1

Type: Task Priority: Critical
Reporter: Vladislav Vaintroub Assignee: Vladislav Vaintroub
Resolution: Fixed Votes: 0
Labels: Preview_10.11

Issue Links:
PartOf
is part of MDEV-29547 prepare 10.11.0 preview releases Closed
Relates
relates to MDEV-32665 Faking non-existing user during authe... Closed

 Description   

On Linux, root user does not need a password to login, if connection is made using Unix socket. The authentication plugin unix_socket makes it possible. If the connection with unix_socket fails, root will fallback to native_authentication.

The purpose of this task is to make the same possible on Windows. There is already a gssapi plugin, which can detect users with administrative privileges (with MDEV-23959 one can use e.g "SID:BA" in user definition to allow administrator only).

There is a subtlety with this plugin, which is not there with unix socket. The unix_socket does not send any packets between client and server, i.e it does not need client support.
auth_gssapi on the other hand does need client support, and there will be lot of auth_gssapi unaware clients drivers (basically, everything except our own 3 drivers and MySqlConnector.NET.
Also, most of 3rd drivers are unaware of "switch authentication" which is used with alternative authentication methods in MariaDB.

Thus, to avoid failures when mariadb is used with 3rd party driver, authentication on Windows should try password-based native_authentication first, and only if it fails, fallback to passwordless auth_gssapi.

Note, that auth_gssapi and its client portion should be linked into the server and C client, to avoid different scenarios where plugin would not be found.

 Comments   
Comment by Vladislav Vaintroub [ 2022-09-14 ]

Would be nice to know in course of testing

With normal installation (MSI), check how foreign (non-MariaDB) connectors behave, when connecting as user root with wrong password. Oracle's C, JDBC and .NET driver, could be used for this kind of testing.
The interesting part is how do foreign connectors react to switch authentication from mysql_native_authentication to auth_gssapi_client. Failure like "auth_gssapi_client plugin not found", that should be fine and expected. Hopefully those connectors won't crash in unforeseen ways.

Comment by Lena Startseva [ 2022-11-07 ]

Testing is complete.
Result of check:

Connector Version Support "auth_gssapi" Comment
ODBC 3.1.17-win64 Checked via the Libreoffice
Connector/J 3.1.0-SNAPSHOT There was a problem with auth_gssapi (in 3.0.8), resoved in 3.1.0-SNAPSHOT
Connector/C 3.3.2-win64  
Connector/C++ 1.0.2-win64  
MySqlConnector for .NET 2.2.0-rc.2 (nuget package)  
mysql-connector-java 8.0.30 Status : Failure -Test failed: Unable to load authentication plugin 'auth_gssapi_client'
mysqli 8.1.12(php version) PHP Fatal error: Uncaught mysqli_sql_exception: The server requested authentication method unknown to the client [auth_gssapi_client]
Comment by Vladislav Vaintroub [ 2022-11-07 ]

To clarify, both mysql-connector-java and mysqli will connect fine, as long as password is correct.

Generated at Thu Feb 08 09:47:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.