[MDEV-30844] GSSAPI not working with GROUP and SID - only username Created: 2023-03-14  Updated: 2023-05-01

Status: Open
Project: MariaDB Server
Component/s: Platform Windows, Plugins, Server
Fix Version/s: None

Type: Task Priority: Minor
Reporter: Mikkel Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description   

I have setup MariaDB in Docker and trying to get it to work with GSSAPI. So far I can only get it to work by creating a user with the same username as my Windows user.

A custom Dockerfile is made to install the GSSAPI plugin like so:

FROM mariadb:10-jammy
 
 
 
RUN apt update -y
 
RUN apt install mariadb-plugin-gssapi-server -y

Otherwise the plugin is missing in the Docker container.

If I create a new user with the same username it works:

CREATE USER MIDU IDENTIFIED VIA gssapi

However trying to use the `AS` option with `SID` or `GROUP` does not work. I'll get an error like this:

GSSAPI name mismatch, requested 'SID:WD', actual name 'MIDU@EXAMPLE.LOCAL'

So it's as if it's not checking the group permissions for the user.

I've been following the guide at https://mariadb.com/kb/en/authentication-plugin-gssapi

And testing have been done both in HeidiSQL and tried creating some demo code with the ODBC driver - both get the same errors.

Creating the everyone user as defined in the original issue (MDEV-23959) does not work either, but I've also tried my own combination of SID of group and group name without luck.
Neither of these work:

CREATE USER MIDU IDENTIFIED VIA gssapi as 'SID:S-1-5-21-3285602104-3108630777-907688344-10270'
 
CREATE USER MIDU IDENTIFIED VIA gssapi as 'GROUP:Database-MariaDB-Admin'
 
CREATE USER MIDU IDENTIFIED VIA gssapi as 'GROUP:example.local\\Database-MariaDB-Admin'

Using another username for the MariaDB user doesn't change things either.

 Comments   
Comment by Vladislav Vaintroub [ 2023-03-14 ]

If you're following this guide, you'll find "Windows only" for SID and groups. That means Windows server-side. which your docker is not. For Windows, there is a documented API to get the SIDs and group membership. With MIT Kerberos, there is nothing like that.

Comment by Mikkel [ 2023-03-15 ]

Thanks for the quick response, that does make a lot of sense. It somehow didn't click for me that it meant for the server. I'm guessing it would be possible if there were LDAP integration? Since it might be able to do the lookup that way after validating Kerberos, but I'm guessing that is out of scope.

Thanks for the help.

Comment by Vladislav Vaintroub [ 2023-03-15 ]

For the group names, yes LDAP integration would help

But SIDs should already be here, packed into Kerberos ticket, in so-called PAC structure . See comment on https://mariadb.com/kb/en/the-community-is-chaining-upns-via-authentication_options-when-using-the-gs/+comments/4846#comment_4849 . Nobody investigated how to parse them in MariaDB, it might be outside gssapi and even standard Kerberos , but Samba people know more (https://wiki.samba.org/index.php/Kerberos_PAC)

Generated at Thu Feb 08 10:19:19 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.