I'll take a look.

Currently, I'm preparing a big update to 10.2.10, which also change RPM layout and some plugins.

If you don't rely on MariaDB and if you could test it, I'll  be happy to know, if the issue persist there too.

Here is a link to the scratch build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=23121332
Note, that GSS server has its new standalone package "mariadb-gssapi-server"

Btw in July, an update was made, which disabled gssapi and cracklib plugin by default. (just a loading line in config file commented out)


# Disable plugins
sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf
sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/cracklib_password_check.cnf


Althought I think that won't be the solution for your issue, I want to point it out.

Ok Michal, I'll try and give it a shot tomorrow evening.  I do have the auth_gssapi plugin loaded on the server.  It seems to be a client side issue related to the plugin:

2017-11-18  0:49:09 140242829139200 [Note] InnoDB: 5.7.19 started; log sequence number 3765594432
2017-11-18  0:49:09 140241646102272 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2017-11-18  0:49:09 140242829139200 [Note] Plugin 'FEEDBACK' is disabled.
2017-11-18  0:49:09 140242829139200 [Note] mysqld: GSSAPI plugin : using principal name 'mariadb/db.example.com'
2017-11-18  0:49:09 140241646102272 [Note] InnoDB: Buffer pool(s) load completed at 171118  0:49:09
2017-11-18  0:49:09 140242829139200 [Note] Server socket created on IP: '::'.
2017-11-18  0:49:09 140242829139200 [Note] Reading of all Master_info entries succeded
2017-11-18  0:49:09 140242829139200 [Note] Added new Master_info '' to hash table
2017-11-18  0:49:09 140242829139200 [Note] /usr/libexec/mysqld: ready for connections.
Version: '10.2.9-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MariaDB Server

(In reply to Michal Schorm from comment #1)
> I'll take a look.
> 
> Currently, I'm preparing a big update to 10.2.10, which also change RPM
> layout and some plugins.
> 
> If you don't rely on MariaDB and if you could test it, I'll  be happy to
> know, if the issue persist there too.
> 
> Here is a link to the scratch build:
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23121332
> Note, that GSS server has its new standalone package "mariadb-gssapi-server"

Hi Michael, I'm a little late getting to this.  The build above is for F28.  Do you have a scratch I can try for F27?

I ordered one for just you! :)
https://koji.fedoraproject.org/koji/taskinfo?taskID=23308367

(In reply to Michal Schorm from comment #5)
> I ordered one for just you! :)
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23308367

Still getting this error on the client :(


$ mysql -u user -h db.example.com --plugin-dir=/usr/lib64/mariadb/plugin/ akonadi

ERROR 2059 (HY000): Plugin auth_gssapi_client could not be loaded: not a plugin

The server side registers the auth_gssapi plugin properly, but the client side doesn't work since the upgrade to F27.

~]# ls -l /usr/lib64/mariadb/plugin/
total 5248
-rwxr-xr-x. 1 root root   11656 Nov 22 18:06 adt_null.so
-rwxr-xr-x. 1 root root    7296 Nov 22 18:06 auth_0x0100.so
-rwxr-xr-x. 1 root root   72000 Nov 22 18:06 auth_ed25519.so
-rwxr-xr-x. 1 root root   11176 Nov 22 18:06 auth_gssapi_client.so
-rwxr-xr-x. 1 root root   15888 Nov 22 18:06 auth_gssapi.so
-rwxr-xr-x. 1 root root   11568 Nov 22 18:06 auth_pam.so
-rwxr-xr-x. 1 root root    7368 Nov 22 18:06 auth_socket.so
-rwxr-xr-x. 1 root root    7648 Nov 22 18:06 auth_test_plugin.so
-rwxr-xr-x. 1 root root   62624 Nov 22 18:06 client_ed25519.so
-rw-r--r--. 1 root root     227 Oct 30 03:10 daemon_example.ini
-rwxr-xr-x. 1 root root    7472 Nov 22 18:06 debug_key_management.so
-rwxr-xr-x. 1 root root    7536 Nov 22 18:06 dialog_examples.so
-rwxr-xr-x. 1 root root   11152 Nov 22 18:06 dialog.so
-rwxr-xr-x. 1 root root   11672 Nov 22 18:06 example_key_management.so
-rwxr-xr-x. 1 root root   20232 Nov 22 18:06 file_key_management.so
-rwxr-xr-x. 1 root root   67824 Nov 22 18:06 ha_example.so
-rwxr-xr-x. 1 root root   91032 Nov 22 18:06 ha_federated.so
-rwxr-xr-x. 1 root root 3452320 Nov 22 18:06 ha_mroonga.so
-rwxr-xr-x. 1 root root  166104 Nov 22 18:06 handlersocket.so
-rwxr-xr-x. 1 root root  926992 Nov 22 18:06 ha_spider.so
-rwxr-xr-x. 1 root root   62152 Nov 22 18:06 ha_test_sql_discovery.so
-rwxr-xr-x. 1 root root   11520 Nov 22 18:06 libdaemon_example.so
-rwxr-xr-x. 1 root root    7776 Nov 22 18:06 locales.so
-rwxr-xr-x. 1 root root   11816 Nov 22 18:06 metadata_lock_info.so
-rwxr-xr-x. 1 root root   12008 Nov 22 18:06 mypluglib.so
-rwxr-xr-x. 1 root root    7016 Nov 22 18:06 mysql_clear_password.so
-rwxr-xr-x. 1 root root    7200 Nov 22 18:06 qa_auth_client.so
-rwxr-xr-x. 1 root root   11592 Nov 22 18:06 qa_auth_interface.so
-rwxr-xr-x. 1 root root    7376 Nov 22 18:06 qa_auth_server.so
-rwxr-xr-x. 1 root root   12480 Nov 22 18:06 query_cache_info.so
-rwxr-xr-x. 1 root root   12136 Nov 22 18:06 query_response_time.so
-rwxr-xr-x. 1 root root   67288 Nov 22 18:06 semisync_master.so
-rwxr-xr-x. 1 root root   16024 Nov 22 18:06 semisync_slave.so
-rwxr-xr-x. 1 root root   61224 Nov 22 18:06 server_audit.so
-rwxr-xr-x. 1 root root   11144 Nov 22 18:06 sha256_password.so
-rwxr-xr-x. 1 root root   11816 Nov 22 18:06 simple_password_check.so
-rwxr-xr-x. 1 root root   11952 Nov 22 18:06 sql_errlog.so
-rwxr-xr-x. 1 root root   12296 Nov 22 18:06 wsrep_info.so

The issue I see is https://jira.mariadb.org/browse/MDEV-11088, which appears to have been fixed upstream but not working in F27 builds.

(In reply to Anthony Messina from comment #7)
> The issue I see is https://jira.mariadb.org/browse/MDEV-11088, which appears
> to have been fixed upstream but not working in F27 builds.

https://jira.mariadb.org/browse/MDEV-9321

Yes, that looks like the issue.

I created (accidentally another) upstream issue tracker: https://jira.mariadb.org/browse/MDEV-14483

Looking at the upstream fix, I'll probabbly wait until their next release.

However you seem like you really need it, so I'll make a build for you with the patch included.

Can you please test it, once finished?
https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737


Note
 - the build origins from latest branch content, which is 10.2.10 update
 - check Bodhi for more info:
   https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239

(In reply to Michal Schorm from comment #10)
> Looking at the upstream fix, I'll probabbly wait until their next release.
> 
> However you seem like you really need it, so I'll make a build for you with
> the patch included.
> 
> Can you please test it, once finished?
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737
> 
> 
> Note
>  - the build origins from latest branch content, which is 10.2.10 update
>  - check Bodhi for more info:
>    https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239

It looks like Koji might have some trouble at the moment, so I'll need to try later.

https://koji.fedoraproject.org/koji/taskinfo?taskID=23328738 gives a 503 error.

When I download the koji packages, can I try just updating them on the client side (and leave my server at mariadb-10.2.9-3.fc27.x86_64?

(In reply to Michal Schorm from comment #10)
> Looking at the upstream fix, I'll probabbly wait until their next release.
> 
> However you seem like you really need it, so I'll make a build for you with
> the patch included.
> 
> Can you please test it, once finished?
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737
> 
> 
> Note
>  - the build origins from latest branch content, which is 10.2.10 update
>  - check Bodhi for more info:
>    https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239

Michael, whatever fixes you included in the Koji build for the following worked--I am now able to use GSSAPI authentication from the client and I did not have to do anything different on the server which is still running mariadb-10.2.9-3.fc27.x86_64.

Thank you for your rapid investigation, response, and followup!

The following was used on the client:
dnf install \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-common-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-config-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-embedded-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-errmsg-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-libs-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-utils-10.2.10-2.fc27.x86_64.rpm

Glad to hear that.

I used this patch:
https://github.com/MariaDB/mariadb-connector-c/commit/85d150eec156275c6468b5de490a65b1e069007c

mentioned in this issue:
https://jira.mariadb.org/browse/MDEV-14483

(In reply to Anthony Messina from comment #12)
> (In reply to Michal Schorm from comment #10)
> > Looking at the upstream fix, I'll probabbly wait until their next release.
> > 
> > However you seem like you really need it, so I'll make a build for you with
> > the patch included.
> > 
> > Can you please test it, once finished?
> > https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737
> > 
> > 
> > Note
> >  - the build origins from latest branch content, which is 10.2.10 update
> >  - check Bodhi for more info:
> >    https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239
> 
> Michael, whatever fixes you included in the Koji build for the following
> worked--I am now able to use GSSAPI authentication from the client and I did
> not have to do anything different on the server which is still running
> mariadb-10.2.9-3.fc27.x86_64.
> 
> Thank you for your rapid investigation, response, and followup!
> 
> The following was used on the client:
> dnf install \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-10.2.10-
> 2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-common-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-config-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-
> embedded-10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-errmsg-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-libs-10.
> 2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-
> utils-10.2.10-2.fc27.x86_64.rpm

Hi Michael.  Unfortunately after completing a fresh F27 install for a new machine, the upstream mariadb packages released to stable (https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239) don't seem to have this fix.  I didn't notice originally since the NVR was the same in your scratch build here:  https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737

If I replace the freshly-installed auth_gssapi_client.so with the one from the scratch build, it works.

From the scratch build:
-rwxr-xr-x. 1 root root   11176 Nov 23 21:40 auth_gssapi_client.so


From the version released to stable:
-rwxr-xr-x. 1 root root   11176 Nov 23 10:23 auth_gssapi_client.so

This is resolved with mariadb-10.2.12-5.fc27 https://bodhi.fedoraproject.org/updates/FEDORA-2018-66833616aa