Comments - Is chaining UPNs via "authentication_options" when using the GSSAPI Plugin considered safe?

3 years, 5 months ago Vladislav Vaintroub

Hi Michael, I see, but again, given the first request was concerned about migration from Oracle Windows auth plugin, I assume the importance of Windows here is higher.

It is not that I mind having some AD option for Unixen, SID or not-SID, but it seems to be entering an uncharted territory with unknown effort to be spent . See, for the most part, on Unixen this plugin currently is just plain GSSAPI, and apart from get_default_principal_name(), there are even no krb5_ functions in there.

So, it operates on in the Unix plugin, is gss_cred_id_t cred, gss_ctx_id_t ctxt and gss_name_t client_name Those are initialized whenever the handshake is finished.

I presume there is something in ctxt that can be extracted in some way, but I'm not really sure how :) And once it is extracted, I did not find any krb5_pac function that would allow to iterate over SIDs. If it would require parsing like JAASLounge is doing it, this would be a larger effort. I did not find any OSS C++ code that can be reused, I'm sure SAMBA will be doing something like that, somewhere, but I'm unfamiliar with their code either.

If that is important, you can create a JIRA ticket asking for supporting AD SID on Unix , nd we can discuss it there. Larger discussions on KB are rather seldom, JIRA can be a better place.

 
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.