Authentication Plugin - GSSAPI

MariaDB starting with 10.1.11

The gssapi authentication plugin was first released in MariaDB 10.1.11.

The gssapi authentication plugin allows the user to authenticate with services that use the Generic Security Services Application Program Interface (GSSAPI). Windows has a slightly different but very similar API called Security Support Provider Interface (SSPI).

On Windows, this authentication plugin supports Kerberos and NTLM authentication. Windows authentication is supported regardless of whether a domain is used in the environment.

On Unix systems, the most dominant GSSAPI service is Kerberos. However, it is less commonly used on Unix systems than it is on Windows. Regardless, this authentication plugin also supports Kerberos authentication on Unix.

This article gives instructions on configuring the GSSAPI authentication plugin for MariaDB for passwordless login.

Preparing the Server

Preparing a Windows Server

Usually nothing need to be done to prepare a server running Windows to use GSSAPI authentication. MariaDB server should run on a server that is joined to a domain, either as a NetworkService account (which is the default if it runs as service) or run under any other domain's account credentials.

Creating service principal is not required here (but you can still do it using the setspn tool)

Preparing a Unix Server

To use the plugin, some preparation needs to be done on the server-side on Unix. MariaDB server will need read access to the Kerberos keytab file. This contains the service's principal name for the MariaDB server.

If you are using Unix Kerberos KDC (MIT,Heimdal)

  • Create the service principal using kadmin tool
kadmin -q "addprinc -randkey mariadb/host.domain.com"

(replace host.domain.com with fully qualified DNS name for the server host)

  • Export the newly created user to the keytab file
kadmin -q "ktadd -k /path/to/mariadb.keytab mariadb/host.domain.com"

More details can be found here and here

If you are using Windows Active Directory KDC you may need to create keytab using ktpass.exe tool on Windows and map the principal user to an existing domain user, as follows:

ktpass.exe /princ mariadb/host.domain.com@DOMAIN.COM /mapuser someuser /pass MyPas$w0rd /out mariadb.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

and then transfer the keytab file to the Unix server. See Microsoft documentation for details.

Installing the Plugin's Package

The gssapi authentication plugin's shared library is included in MariaDB packages as the auth_gssapi.so or auth_gssapi.dll shared library on systems where it can be built. The plugin was first included in MariaDB 10.1.11.

Installing on Linux

The gssapi authentication plugin is included in binary tarballs on Linux.

Installing with a Package Manager

The gssapi authentication plugin can also be installed via a package manager on Linux. In order to do so, your system needs to be configured to install from one of the MariaDB repositories.

You can configure your package manager to install it from MariaDB Corporation's MariaDB Package Repository by using the MariaDB Package Repository setup script.

You can also configure your package manager to install it from MariaDB Foundation's MariaDB Repository by using the MariaDB Repository Configuration Tool.

Installing with yum/dnf

On RHEL, CentOS, Fedora, and other similar Linux distributions, it is highly recommended to install the relevant RPM package from MariaDB's repository using yum or dnf. Starting with RHEL 8 and Fedora 22, yum has been replaced by dnf, which is the next major version of yum. However, yum commands still work on many systems that use dnf. For example:

sudo yum install MariaDB-gssapi-server
Installing with apt-get

On Debian, Ubuntu, and other similar Linux distributions, it is highly recommended to install the relevant DEB package from MariaDB's repository using apt-get. For example:

sudo apt-get install mariadb-plugin-gssapi-server-10.3
Installing with zypper

On SLES, OpenSUSE, and other similar Linux distributions, it is highly recommended to install the relevant RPM package from MariaDB's repository using zypper. For example:

sudo zypper install MariaDB-gssapi-server

Installing on Windows

The gssapi authentication plugin is included in MSI and ZIP packages on Windows.

Installing the Plugin

Although the plugin's shared library is distributed with MariaDB by default, the plugin is not actually installed by MariaDB by default. There are two methods that can be used to install the plugin with MariaDB.

The first method can be used to install the plugin without restarting the server. You can install the plugin dynamically by executing INSTALL SONAME or INSTALL PLUGIN. For example:

INSTALL SONAME 'auth_gssapi';

The second method can be used to tell the server to load the plugin when it starts up. The plugin can be installed this way by providing the --plugin-load or the --plugin-load-add options. This can be specified as a command-line argument to mysqld or it can be specified in a relevant server option group in an option file. For example:

[mariadb]
...
plugin_load_add = auth_gssapi

Uninstalling the Plugin

You can uninstall the plugin dynamically by executing UNINSTALL SONAME or UNINSTALL PLUGIN. For example:

UNINSTALL SONAME 'auth_gssapi';

If you installed the plugin by providing the --plugin-load or the --plugin-load-add options in a relevant server option group in an option file, then those options should be removed to prevent the plugin from being loaded the next time the server is restarted.

Configuring the Plugin

Configuring the Plugin on Unix

Some additional things need to be configured in order to use the plugin on Unix systems.

First, set the gssapi_keytab_path option in the server's option file to the path of the previously created keytab file.

[mariadb]
...
gssapi_keytab_path=/path/to/mariadb.keytab

Next, if the service principal name differs from the default mariadb/host.domain.com@REALM, then configure an alternative principal name by setting the gssapi_principal_name option in the server's option file as well.

[mariadb]
...
gssapi_principal_name=alternative/principalname@REALM

Creating Users

To create a user account via CREATE USER, specify the name of the plugin in the IDENTIFIED VIA clause. For example:

CREATE USER username@hostname IDENTIFIED VIA gssapi;

If SQL_MODE does not have NO_AUTO_CREATE_USER set, then you can also create the user account via GRANT. For example:

GRANT SELECT ON db.* TO username@hostname IDENTIFIED VIA gssapi;

You can also specify the user's realm for MariaDB with the USING clause. For example:

CREATE USER username@hostname IDENTIFIED VIA gssapi USING 'username@EXAMPLE.COM';

The format of the realm depends on the specific authentication mechanism that is used. For example, the format would need to be machine\\username for Windows users authenticating with NTLM.

If the realm is not provided in the user account's definition, then the realm is not used for comparison. Therefore, 'usr1@EXAMPLE.COM', 'usr1@EXAMPLE.CO.UK' and 'mymachine\usr1' would all identify as the following user account:

CREATE USER usr1@hostname IDENTIFIED VIA gssapi;

Using the Plugin with Command-line Clients

When connecting with a command-line client to a server that uses GSSAPI authentication, you may need to tell the client where to find the client plugin by specifying the --plugin-dir option. For example:

mysql --plugin-dir=/path/to/plugin-dir -u usr1

Using the Plugin with MariaDB Connector/J

MariaDB Connector/J has supported GSSAPI authentication since version 1.4. Current documentation can be found here.

Using the Plugin with .NET

MySqlConnector driver supports GSSAPI authentication since version 0.47

The support is transparent, i.e normally no other parameters needs to be passed to the connector, except the correct user name.

This driver also support GSSAPI specific ServerSPN connection string parameter, for mutual authentication(see Connection String Options )

.NET specific problems/workarounds

When connecting from Unix client to Windows server with ADO.NET, in an Active Directory domain environment, be aware that .NET Core on Unix does not support principal names in UPN(User Principal Name) form, which is default on Windows (e.g machine$@domain.com) . Thus, upon encountering an authentication exception with "server not found in Kerberos database", use one of workarounds below

  • Force host-based SPN on server side (add gssapi-principal-name=HOST/machine to my.ini file)
  • Pass host-based SPN on client side ( i.e use ServerSPN=HOST/machine in the connection string)

Versions

VersionStatusIntroduced
1.0StableMariaDB 10.1.15
1.0BetaMariaDB 10.1.11

System Variables

gssapi_keytab_path

  • Description: Available on Unix only. Path to the server keytab file.
  • Commandline: --gssapi-keytab-path
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: ''
  • Introduced: MariaDB 10.1.11

gssapi_principal_name

  • Description: Name of the service principal.
  • Commandline: --gssapi-principal-name
  • Scope: Global
  • Dynamic: No
  • Data Type: string
  • Default Value: ''
  • Introduced: MariaDB 10.1.11

gssapi_mech_name

  • Description: Available on Windows only. Name of the SSPI package used by server. Can be either 'Kerberos' or 'Negotiate'. Set it to 'Kerberos', to prevent less secure NTLM in domain environments, but leave it as default (Negotiate) to allow non-domain environments (e.g if server does not run in a domain environment).
  • Commandline: --gssapi-mech-name
  • Scope: Global
  • Dynamic: No
  • Data Type: enumerated
  • Default Value: Negotiate
  • Valid Values: Kerberos, Negotiate
  • Introduced: MariaDB 10.1.11

Comments

Comments loading...