[#MXS-2049] Kerberos authentication not working or not clearly documented

[MXS-2049] Kerberos authentication not working or not clearly documented Created: 2018-09-14 Updated: 2020-08-25 Resolved: 2018-10-01
Status:	Closed
Project:	MariaDB MaxScale
Component/s:	Authenticator
Affects Version/s:	2.2.12
Fix Version/s:	2.2.16

Type:

Bug

Priority:

Major

Reporter:

Claudio Nanni

Assignee:

markus makela

Resolution:

Fixed

Votes:

Labels:

None

Description

User KERB_A can connect using gssapi to a backend server SRV1.

When trying to connect KERB_A (kerberos user) via MaxScale to a backend server SRV1, this error happens:

2018-08-30 15:02:53 error : (15) GSSAPI Major Error: Unspecified GSS failure. Minor code may provide more information

2018-08-30 15:02:53 error : (15) GSSAPI Minor Error: No Kerberos credentials available (default cache: KEYRING:persistent:997)

Starting MaxScale process with user KERB_A and then connecting to SRV1 via MaxScale with the same user KERB_A, authentication succeeds.

When trying to use another kerberos user KERB_B to connect to SRV1 via MaxScale this error happens:

Sep 13 13:09:37 server_x maxscale[154147]: (9) [mariadbbackend] Invalid authentication message from backend 'NODE_2_KERBEROS'. Error code: 1045, Msg : #28000GSSAPI name mismatch, requested 'KERB_B@DOMAIN', actual name 'KERB_A@DOMAIN'

Documentation has been followed but it's not clear what's wrong.

How does GSSAPI work?

Does MaxScale process user need to be a kerberos user?

If so, why when connecting with another user I get the above error of user mismatch?

Comments

Comment by markus makela [ 2018-09-26 ]

Managed to reproduce the problem.

Generated at Thu Feb 08 04:11:19 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MXS-2049] Kerberos authentication not working or not clearly documented Created: 2018-09-14 Updated: 2020-08-25 Resolved: 2018-10-01