Comments - Is chaining UPNs via "authentication_options" when using the GSSAPI Plugin considered safe?
Content reproduced on this site is the property of its respective owners,
and this content is not reviewed in advance by MariaDB. The views, information and opinions
expressed by this content do not necessarily represent those of MariaDB or any other party.
Hi Vlad,
I was involved in the analysis for/with Johannes.
although SIDs might be less natural for application than group names, it is easy to figure out that string is a SID.
Microsoft's approach is to test for 'S-' prefix.
Now on Unixen, groups could be handled as an ActiveDirectory specific extension, for boxes than join Windows domain. The pure MIT kerberos KDC has no groups, an no LDAP, to my knowlegde.
Correct. But I don't see to add any configure/compile time option for this. It could be simply a module option "use PAC groups" or similar. If the attribute name value is present, read it otherwise fail the authnz.
This is something I'm a little less familiar with, and might need some more time.
I will happily support and can provide plenty PAC data privately if necessary.
SID-only option seems a little user-unfriendly.
There is no other option on Unix. Consider that this is not for users, but for admins. From my point of view, I see little difference because in our huge (and likely others) environment our groups are DOMAIN\cryptic-very-long-name vs. S-1-5-21-<group-sid>-<rid>. I treat them as opaque strings because I don't memorize the 100 gorups I have anyway. See also here a justification why SIDs are better than names in large environments [1].
What one could do is to map SIDs to app specific friendly names like I do in Java [1], but that would require more code in MariaDB and I don't see a need for now.
[1] http://tomcatspnegoad.sourceforge.net/realms.html#Using_Security_Groups_from_Active_Directory.
Hi Michael-O and Johannes, I updated https://jira.mariadb.org/browse/MDEV-23959, group and SID support on Windows, with details. Feel free to discuss comment in the JIRA ticket.
Hi Vlad, I just checked your updates in the JIRA ticket. I think the proposed solution covers my needs perfectly and will make the switch over to MariaDB possible. Also the suggested prefixes GROUP and SID make sense and implementing it that way would pull Unix users in as well. Thanks for your support!
Hi Michael, I see, but again, given the first request was concerned about migration from Oracle Windows auth plugin, I assume the importance of Windows here is higher.
It is not that I mind having some AD option for Unixen, SID or not-SID, but it seems to be entering an uncharted territory with unknown effort to be spent . See, for the most part, on Unixen this plugin currently is just plain GSSAPI, and apart from get_default_principal_name(), there are even no krb5_ functions in there.
So, it operates on in the Unix plugin, is gss_cred_id_t cred, gss_ctx_id_t ctxt and gss_name_t client_name Those are initialized whenever the handshake is finished.
I presume there is something in ctxt that can be extracted in some way, but I'm not really sure how :) And once it is extracted, I did not find any krb5_pac function that would allow to iterate over SIDs. If it would require parsing like JAASLounge is doing it, this would be a larger effort. I did not find any OSS C++ code that can be reused, I'm sure SAMBA will be doing something like that, somewhere, but I'm unfamiliar with their code either.
If that is important, you can create a JIRA ticket asking for supporting AD SID on Unix , nd we can discuss it there. Larger discussions on KB are rather seldom, JIRA can be a better place.