Comments - Authentication Plugin - GSSAPI
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
Hi all
I hope somone who've made this work, is willing to look though this and hopefully spot where I've done something wrong?
Steps so far:
Microsoft AD team create keytab file: ktpass.exe /princ mariadb/hostname.do.main@DO.MAIN /mapuser SERVICEUSERNAME /pass WHATEVER /out mariadb_mariadbhostname.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapOp set
I receive, rename and place the keytabfile on database server databasehostname, in /etc/krb5-databasehostname.keytab
I check that "hostname responds with the FQDN: hostname -f databasehostname.do.main
I then change the /etc/mysql/my.cnf file to point to same file: under paragraph [mariadb] , added: plugin-load-add=auth_gssapi.so gssapi_keytab_path = /etc/krb5-databasehostname.keytab gssapi_principal_name = mariadb/hostname.do.main@DO.MAIN
I show contents of same keytab file: klist -k /etc/krb5-databasehostname.keytab KVNO Principal 3 mariadb/hostname.do.main@DO.MAIN 3 mariadb/hostname.do.main@DO.MAIN
I restart MariaDB: systemctl restart mariadb syslog states msqld ready for connections, and following: [Note] mysqld: GSSAPI plugin : using principal name 'mariadb/mariadb/hostname.do.main@DO.MAIN'
I check setup in MariaDB: SHOW VARIABLES LIKE '%gassapi%'; Variable_name | Value -------------------- |--------------------------------- gssapi_keytab_path | /etc/krb5-databasehostname.keytab gssapi_principal_name | mariadb/hostname.do.main@DO.MAIN
I create user in same MariaDB 10.3.22 database: GRANT ALL ON *.* TO 'myADname'@'localhost' IDENTIFIED WITH 'gssapi' USING 'myADname'@'DO.MAIN'; GRANT ALL ON *.* TO 'myADname'@'%' IDENTIFIED WITH 'gssapi' USING 'myADname'@'DO.MAIN';
Ensuring there's a kerberos ticket/token: kinit or also tried kinit myADuser - both asks for my password, and klist shows I got a ticket:
Ticket cache: FILE:/tmp/krb5cc_xxxx_kq3sm1 Default principal: myADuser@DO.MAIN Valid starting Expires Service principal 07/28/2020 12:55 07/28/2020 22:55 krbtgt/DO.MAIN@DO.MAIN renew until 08/04/2020 12:55 07/28/2020 13:09 07/28/2020 22:55 mariadb/hostname.do.main@DO.MAIN renew until 08/04/2020 12:55
I try to connect from local machine to local DB (but fails):
myADusername@hostname:$ mysql -umyADusername or mysql -umyADusername both barks this: ERROR 1105 (HY000): Server GSSAPI error (major 851968, minor 2529638957) : gssapi_accept_sec_contaxt -Unspecified GSS failure. Minor code may procide more information. No key table entry found for mariadb/hostname.do.main@DO.MAIN. or I have also seen: Access denied for user 'myADuser@DO.MAIN'@'localhost' (using password: No)
As far as I can see, I have done pretty much what is asked in the gssapi authentication guides I've found? I am lost in a dead end here, trying to figure out how to make gssapi/kerberos login work into MariaDB. Can any one shed some light on thsi for me, please :) ???