Hi Darrell,

You used the correct syntax already.

 

ALTER USER `myuser`@`localhost` IDENTIFIED VIA gssapi USING 'SID:BA' OR gssapi USING 'GROUP:My Group';

 

How would you know that this is correct syntax? It did not fail when your tried it, and SHOW CREATE USER `myuser`@`localhost` shows what you expect.

 

Whatever authentication string mysql.user shows does not have to be 100% accurate, because mysql.user is a VIEW over mysql.global_priv table, real definition for the user is stored in JSON column in mysql.global_priv

 

The corresponding entry in mysql.global_priv could look something similar to

 

Host: localhost

User: myuser

Priv: {"access":0,"version_id":110006,"plugin":"gssapi","authentication_string":"GROUP:My Group","password_last_changed":1713198195,"auth_or":[{"plugin":"gssapi","authentication_string":"SID:BA"},{}]}

 

You see, there is auth_or element in mysql.global_priv.Priv which it is not reflected in mysql.user view.

 

For performance reasons, in this case, it could make sense to avoid this OR, i.e create a single AD/local group, containing both groups, this would make authentication less “chatty”

 

Regards

Wlad

 

From: darrel.fenstad--- via discuss
Sent: Monday, April 15, 2024 6:16 PM
To: discuss@lists.mariadb.org
Subject: [MariaDB discuss] Windows gssapi plug-in with multiple SIDs/Groups

 

I am using MariaDB 10.117 and gssapi plug-in to allow SID:BA as follows:

 

   "ALTER USER `myuser`@`localhost` IDENTIFIED VIA gssapi USING 'SID:BA';"

 

This works fine.

 

But i want to add an additional GROUP besides SID:BA. I have tried:

 

   "ALTER USER `myuser`@`localhost` IDENTIFIED VIA gssapi USING 'SID:BA' OR gssapi USING 'GROUP:My Group';"

 

However, when I look at mysql - View - user it shows the authentication_string as only GROUP:My Group.

 

I also tried:

 

   "ALTER USER `myuser`@`localhost` IDENTIFIED VIA gssapi USING 'SID:BA', 'GROUP:My Group';

 

But that showed authentication_string in mysql - View - user as only SID:BA.

 

Is it possible to specify multiple SIDs and GROUPs and, if so, what is the syntax to do so?

 

Regards,

 

Darrel

_______________________________________________

discuss mailing list -- discuss@lists.mariadb.org

To unsubscribe send an email to discuss-leave@lists.mariadb.org