The gssapi authentication plugin enables passwordless single sign-on by authenticating users via the Generic Security Services API, supporting Kerberos on Unix and Windows.
The gssapi authentication plugin allows the user to authenticate with services that use the Generic Security Services Application Program Interface (GSSAPI). Windows has a slightly different but very similar API called Security Support Provider Interface (SSPI). The GSSAPI is a standardized API described in RFC2743 and RFC2744. The client and server negotiate using a standardized protocol described in RFC7546.
On Windows, this authentication plugin supports Kerberos and NTLM authentication. Windows authentication is supported regardless of whether a domain is used in the environment.
On Unix systems, the most dominant GSSAPI service is Kerberos. However, it is less commonly used on Unix systems than it is on Windows. Regardless, this authentication plugin also supports Kerberos authentication on Unix.
The gssapi authentication plugin is most often used for authenticating with Microsoft Active Directory.
This article gives instructions on configuring the gssapi authentication plugin
for MariaDB for passwordless login.
The gssapi authentication plugin's shared library is included in MariaDB packages as the auth_gssapi.so or auth_gssapi.dll shared library on systems where it can be built.
The gssapi authentication plugin is included in on Linux.
The gssapi authentication plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.
You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the .
You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the .
Installing with yum/dnf
On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using or . Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf:
Installing with apt-get
On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :
Installing with zypper
On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant from MariaDB's repository using :
On Windows, and on other operating systems, although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.
The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing or :
The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the or the options. This can be specified as a command-line argument to or it can be specified in a relevant server in an :
You can uninstall the plugin dynamically by executing or :
If you installed the plugin by providing the or the options in a relevant server in an , then those options must be removed to prevent the plugin from being loaded the next time the server is restarted.
If the MariaDB server is running on Unix, then some additional configuration steps will need to be implemented in order to use the plugin.
If the MariaDB server is running on Windows, then no special configuration steps will need to be implemented in order to use the plugin, as long as the following is true:
The Windows server is joined to a domain.
The MariaDB server process is running as either a or a .
If the MariaDB server is running on Unix, then the KDC server will need to create a keytab file for the MariaDB server. The keytab file contains the service principal name, which is the identity that the MariaDB server will use to communicate with the KDC server. The keytab will need to be transferred to the MariaDB server, and the mysqld server process will need read access to this keytab file.
How this keytab file is generated depends on whether the KDC server is or .
If you are using , you may need to create a keytab using the utility on a Windows host. The service principal will need to be mapped to an existing domain user. To do so, follow the steps listed below.
Be sure to replace the following items in the step below:
Replace ${HOST} with the fully qualified DNS name for the MariaDB server host.
Replace ${DOMAIN} with the Active Directory domain.
Replace ${AD_USER} with the existing domain user.
To create the service principal, execute the following command:
If you are using , then you can create a file using the utility. To do so, follow the steps listed below.
In the following steps, be sure to replace ${HOST} with the fully qualified DNS name for the MariaDB server host.
First, create the service principal using the utility:
Then, export the newly created user to the keytab file using the utility:
More details can be found at the following links:
If the MariaDB server is running on Unix, then the path to the keytab file that was previously created can be set by configuring the system variable. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :
The service principal name can be set by configuring the system variable. This can be specified as a command-line argument to mariadbd, or it can be specified in a relevant server in an :
If a service principal name is not provided, the plugin tries to use mariadb/host.domain.com@REALM by default.
If the MariaDB server is running on Unix, the plugin needs a service principal name in order to function.
If the MariaDB server is running on Windows, the plugin does not usually need a service principal in order to function. However, if you want to use one, anyway, it can be created with the setspn utility.
Different KDC implementations may use different canonical forms to identify principals. See to learn what the standard says about principal names.
More details can be found at the following links:
To create a user account via , specify the name of the plugin in the clause:
If does not have NO_AUTO_CREATE_USER set, then you can also create the user account via :
You can also specify the user's for MariaDB with the USING clause:
The format of the realm depends on the specific authentication mechanism that is used. For example, the format would need to be machine\\username for Windows users authenticating with NTLM.
If the realm is not provided in the user account's definition, then the realm is not used for comparison. Therefore, 'usr1@EXAMPLE.COM', 'usr1@EXAMPLE.CO.UK' and 'mymachine\usr1' would all identify as the following user account:
On Windows only, it is possible to login using a AD or local group-membership. This is achieved by using the GROUP prefix in IDENTIFIED ... AS:
The effect of the above definition is that every user that identifies as a member of group Administrators can log in using the user name root without a password.
User can also login using own or group (Security Identifier):
Using SIDs will perform slightly faster than using name (since it will spare translation between SID and name which is otherwise done). SIDs are immune against user or group renaming.
On Windows, in addition to the usual authentication with a password, passwordless authentication is permitted when creating the root user during installation. This works in a similar manner to . However, since auth_gssapi, unlike unix_socket, requires client support, to avoid failures when MariaDB is used with third-party drivers, authentication on Windows first attempts password-based native_authentication, and only if it fails, falls back to passwordless auth_gssapi.
For clients that use the libmysqlclient or libraries, MariaDB provides one client authentication plugin that is compatible with the gssapi authentication plugin:
auth_gssapi_client
When connecting with a to a server as a user account that authenticates with the gssapi authentication plugin, you may need to tell the client where to find the relevant client authentication plugin by specifying the --plugin-dir option:
auth_gssapi_clientThe auth_gssapi_client client authentication plugin receives the principal name from the server, and then uses either the function (on Unix) or the function (on Windows) to establish a security context on the client.
supports gssapi authentication using the mentioned in the previous section.
supports gssapi authentication using the mentioned in the previous section.
supports gssapi authentication. Current documentation can be found .
does not yet support gssapi authentication. See for more information.
supports gssapi authentication.
The support is transparent. Normally, the connector only needs to be provided the correct user name, and no other parameters are required.
However, this connector also supports the connection string parameter, which can be used for mutual authentication.
When connecting from Unix client to Windows server with ADO.NET, in an Active Directory domain environment, be aware that .NET Core on Unix does not support principal names in UPN(User Principal Name) form, which is default on Windows (e.g machine$@domain.com) . Thus, upon encountering an authentication exception with "server not found in Kerberos database", use one of workarounds below
Force host-based SPN on server side.
For example, this can be done by setting the system variable to HOST/machine in a server in an .
Pass host-based SPN on client side.
gssapi_keytab_pathDescription: Defines the path to the server's keytab file.
This system variable is only meaningful on Unix.
See and for more information.
Command line: --gssapi-keytab-path
gssapi_principal_nameDescription: Name of the service principal.
See for more information.
Command line: --gssapi-principal-name
Scope: Global
gssapi_mech_nameDescription: Name of the SSPI package used by server. Can be either 'Kerberos' or 'Negotiate'. Set it to 'Kerberos', to prevent less secure NTLM in domain environments, but leave it as default (Negotiate) to allow non-domain environments (e.g if server does not run in a domain environment).
This system variable is only meaningful on Windows.
Command line: --gssapi-mech-name
gssapiDescription: Controls how the server should treat the plugin when the server starts up.
Valid values are:
OFF - Disables the plugin without removing it from the table.
This page is licensed: CC BY-SA / Gnu FDL
${PASSWORD} with the password for the service principal.HOST/machine.Scope: Global
Dynamic: No
Data Type: string
Default Value: ''
Introduced: MariaDB 10.1.11
Dynamic: No
Data Type: string
Default Value: ''
Introduced: MariaDB 10.1.11
Dynamic: No
Data Type: enumerated
Default Value: Negotiate
Valid Values: Kerberos, Negotiate
Introduced: MariaDB 10.1.11
ON - Enables the plugin. If the plugin cannot be initialized, then the server will still continue starting up, but the plugin will be disabled.FORCE - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error.
FORCE_PLUS_PERMANENT - Enables the plugin. If the plugin cannot be initialized, then the server will fail to start with an error. In addition, the plugin cannot be uninstalled with UNINSTALL SONAME or UNINSTALL PLUGIN while the server is running.
See Plugin Overview: Configuring Plugin Activation at Server Startup for more information.
Command line: --gssapi=value
Data Type: enumerated
Default Value: ON
Valid Values: OFF, ON, FORCE, FORCE_PLUS_PERMANENT
Introduced: MariaDB 10.1.11
sudo yum install MariaDB-gssapi-serversudo apt-get install mariadb-plugin-gssapi-serversudo zypper install MariaDB-gssapi-serverINSTALL SONAME 'auth_gssapi';[mariadb]
...
plugin_load_add = auth_gssapiUNINSTALL SONAME 'auth_gssapi';ktpass.exe /princ mariadb/${HOST}@${DOMAIN} /mapuser ${AD_USER} /pass ${PASSWORD} /out mariadb.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop setkadmin -q "addprinc -randkey mariadb/${HOST}"kadmin -q "ktadd -k /path/to/mariadb.keytab mariadb/${HOST}"[mariadb]
...
gssapi_keytab_path=/path/to/mariadb.keytab[mariadb]
...
gssapi_principal_name=service_principal_name/host.domain.com@REALMCREATE USER username@hostname IDENTIFIED VIA gssapi;GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA gssapi;CREATE USER username@hostname IDENTIFIED VIA gssapi USING 'username@EXAMPLE.COM';CREATE USER usr1@hostname IDENTIFIED VIA gssapi;CREATE USER root IDENTIFIED VIA gssapi AS 'GROUP:Administrators'
CREATE USER root IDENTIFIED VIA gssapi AS 'GROUP:BUILTIN\\Administrators'CREATE USER root IDENTIFIED VIA gssapi AS 'SID:S-1-5-32-544'mysql --plugin-dir=/usr/local/mysql/lib64/mysql/plugin --user=alice