Bug 1514820 - mariadb/mysql: Plugin auth_gssapi_client could not be loaded: not a plugin
Summary: mariadb/mysql: Plugin auth_gssapi_client could not be loaded: not a plugin
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: mariadb
Version: 27
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Michal Schorm
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-18 18:13 UTC by Anthony Messina
Modified: 2018-01-29 20:10 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-29 20:10:19 UTC


Attachments (Terms of Use)

Description Anthony Messina 2017-11-18 18:13:01 UTC
After upgrading to F27, client side I am not longer able to use mariadb/mysql utilities to connect via GSSAPI.  The clients and servers are all running mariadb-10.2.9-3.fc27.x86_64.

The GSSAPI functionality was working well in F26 mariadb-10.1.26-2.fc26.x86_64 before upgrading.

No, on the client side, I get the following error:
Plugin auth_gssapi_client could not be loaded: not a plugin

The following plugins are available on the client and server:

$ ls -l /usr/lib64/mysql/plugin/
total 7392
-rwxr-xr-x. 1 root root   11456 Oct  5 18:22 adt_null.so
-rwxr-xr-x. 1 root root    7096 Oct  5 18:22 auth_0x0100.so
-rwxr-xr-x. 1 root root   71800 Oct  5 18:22 auth_ed25519.so
-rwxr-xr-x. 1 root root   11176 Oct  5 18:22 auth_gssapi_client.so
-rwxr-xr-x. 1 root root   15688 Oct  5 18:22 auth_gssapi.so
-rwxr-xr-x. 1 root root   11368 Oct  5 18:22 auth_pam.so
-rwxr-xr-x. 1 root root    7168 Oct  5 18:22 auth_socket.so
-rwxr-xr-x. 1 root root    7456 Oct  5 18:22 auth_test_plugin.so
-rwxr-xr-x. 1 root root   62432 Oct  5 18:22 client_ed25519.so
-rwxr-xr-x. 1 root root    7280 Oct  5 18:22 cracklib_password_check.so
-rw-r--r--. 1 root root     227 Sep 25 01:33 daemon_example.ini
-rwxr-xr-x. 1 root root    7280 Oct  5 18:22 debug_key_management.so
-rwxr-xr-x. 1 root root    7328 Oct  5 18:22 dialog_examples.so
-rwxr-xr-x. 1 root root   11152 Oct  5 18:22 dialog.so
-rwxr-xr-x. 1 root root   11472 Oct  5 18:22 example_key_management.so
-rwxr-xr-x. 1 root root   20032 Oct  5 18:22 file_key_management.so
-rwxr-xr-x. 1 root root   94920 Oct  5 18:22 ha_archive.so
-rwxr-xr-x. 1 root root   62008 Oct  5 18:22 ha_blackhole.so
-rwxr-xr-x. 1 root root   67624 Oct  5 18:22 ha_example.so
-rwxr-xr-x. 1 root root   90840 Oct  5 18:22 ha_federated.so
-rwxr-xr-x. 1 root root  127768 Oct  5 18:22 ha_federatedx.so
-rwxr-xr-x. 1 root root 3452128 Oct  5 18:22 ha_mroonga.so
-rwxr-xr-x. 1 root root  165896 Oct  5 18:22 handlersocket.so
-rwxr-xr-x. 1 root root  135944 Oct  5 18:22 ha_sphinx.so
-rwxr-xr-x. 1 root root  922680 Oct  5 18:22 ha_spider.so
-rwxr-xr-x. 1 root root   61944 Oct  5 18:22 ha_test_sql_discovery.so
-rwxr-xr-x. 1 root root 1762200 Oct  5 18:22 ha_tokudb.so
-rwxr-xr-x. 1 root root   11320 Oct  5 18:22 libdaemon_example.so
-rwxr-xr-x. 1 root root    7584 Oct  5 18:22 locales.so
-rwxr-xr-x. 1 root root   11616 Oct  5 18:22 metadata_lock_info.so                                                                                                                                                                           
-rwxr-xr-x. 1 root root   11808 Oct  5 18:22 mypluglib.so                                                                                                                                                                                    
-rwxr-xr-x. 1 root root    7016 Oct  5 18:22 mysql_clear_password.so                                                                                                                                                                         
-rwxr-xr-x. 1 root root    7008 Oct  5 18:22 qa_auth_client.so                                                                                                                                                                               
-rwxr-xr-x. 1 root root   11392 Oct  5 18:22 qa_auth_interface.so                                                                                                                                                                            
-rwxr-xr-x. 1 root root    7176 Oct  5 18:22 qa_auth_server.so                                                                                                                                                                               
-rwxr-xr-x. 1 root root   12280 Oct  5 18:22 query_cache_info.so                                                                                                                                                                             
-rwxr-xr-x. 1 root root   11936 Oct  5 18:22 query_response_time.so                                                                                                                                                                          
-rwxr-xr-x. 1 root root   67088 Oct  5 18:22 semisync_master.so                                                                                                                                                                              
-rwxr-xr-x. 1 root root   15824 Oct  5 18:22 semisync_slave.so                                                                                                                                                                               
-rwxr-xr-x. 1 root root   61016 Oct  5 18:22 server_audit.so                                                                                                                                                                                 
-rwxr-xr-x. 1 root root   11136 Oct  5 18:22 sha256_password.so                                                                                                                                                                              
-rwxr-xr-x. 1 root root   11616 Oct  5 18:22 simple_password_check.so                                                                                                                                                                        
-rwxr-xr-x. 1 root root   11752 Oct  5 18:22 sql_errlog.so                                                                                                                                                                                   
-rwxr-xr-x. 1 root root   12104 Oct  5 18:22 wsrep_info.so

Comment 1 Michal Schorm 2017-11-20 12:39:33 UTC
I'll take a look.

Currently, I'm preparing a big update to 10.2.10, which also change RPM layout and some plugins.

If you don't rely on MariaDB and if you could test it, I'll  be happy to know, if the issue persist there too.

Here is a link to the scratch build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=23121332
Note, that GSS server has its new standalone package "mariadb-gssapi-server"

Comment 2 Michal Schorm 2017-11-20 13:02:06 UTC
Btw in July, an update was made, which disabled gssapi and cracklib plugin by default. (just a loading line in config file commented out)


# Disable plugins
sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf
sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/cracklib_password_check.cnf


Althought I think that won't be the solution for your issue, I want to point it out.

Comment 3 Anthony Messina 2017-11-21 00:50:45 UTC
Ok Michal, I'll try and give it a shot tomorrow evening.  I do have the auth_gssapi plugin loaded on the server.  It seems to be a client side issue related to the plugin:

2017-11-18  0:49:09 140242829139200 [Note] InnoDB: 5.7.19 started; log sequence number 3765594432
2017-11-18  0:49:09 140241646102272 [Note] InnoDB: Loading buffer pool(s) from /var/lib/mysql/ib_buffer_pool
2017-11-18  0:49:09 140242829139200 [Note] Plugin 'FEEDBACK' is disabled.
2017-11-18  0:49:09 140242829139200 [Note] mysqld: GSSAPI plugin : using principal name 'mariadb/db.example.com@EXAMPLE.COM'
2017-11-18  0:49:09 140241646102272 [Note] InnoDB: Buffer pool(s) load completed at 171118  0:49:09
2017-11-18  0:49:09 140242829139200 [Note] Server socket created on IP: '::'.
2017-11-18  0:49:09 140242829139200 [Note] Reading of all Master_info entries succeded
2017-11-18  0:49:09 140242829139200 [Note] Added new Master_info '' to hash table
2017-11-18  0:49:09 140242829139200 [Note] /usr/libexec/mysqld: ready for connections.
Version: '10.2.9-MariaDB'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MariaDB Server

Comment 4 Anthony Messina 2017-11-22 23:37:11 UTC
(In reply to Michal Schorm from comment #1)
> I'll take a look.
> 
> Currently, I'm preparing a big update to 10.2.10, which also change RPM
> layout and some plugins.
> 
> If you don't rely on MariaDB and if you could test it, I'll  be happy to
> know, if the issue persist there too.
> 
> Here is a link to the scratch build:
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23121332
> Note, that GSS server has its new standalone package "mariadb-gssapi-server"

Hi Michael, I'm a little late getting to this.  The build above is for F28.  Do you have a scratch I can try for F27?

Comment 5 Michal Schorm 2017-11-23 00:17:21 UTC
I ordered one for just you! :)
https://koji.fedoraproject.org/koji/taskinfo?taskID=23308367

Comment 6 Anthony Messina 2017-11-23 01:20:35 UTC
(In reply to Michal Schorm from comment #5)
> I ordered one for just you! :)
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23308367

Still getting this error on the client :(


$ mysql -u user -h db.example.com --plugin-dir=/usr/lib64/mariadb/plugin/ akonadi

ERROR 2059 (HY000): Plugin auth_gssapi_client could not be loaded: not a plugin

The server side registers the auth_gssapi plugin properly, but the client side doesn't work since the upgrade to F27.

~]# ls -l /usr/lib64/mariadb/plugin/
total 5248
-rwxr-xr-x. 1 root root   11656 Nov 22 18:06 adt_null.so
-rwxr-xr-x. 1 root root    7296 Nov 22 18:06 auth_0x0100.so
-rwxr-xr-x. 1 root root   72000 Nov 22 18:06 auth_ed25519.so
-rwxr-xr-x. 1 root root   11176 Nov 22 18:06 auth_gssapi_client.so
-rwxr-xr-x. 1 root root   15888 Nov 22 18:06 auth_gssapi.so
-rwxr-xr-x. 1 root root   11568 Nov 22 18:06 auth_pam.so
-rwxr-xr-x. 1 root root    7368 Nov 22 18:06 auth_socket.so
-rwxr-xr-x. 1 root root    7648 Nov 22 18:06 auth_test_plugin.so
-rwxr-xr-x. 1 root root   62624 Nov 22 18:06 client_ed25519.so
-rw-r--r--. 1 root root     227 Oct 30 03:10 daemon_example.ini
-rwxr-xr-x. 1 root root    7472 Nov 22 18:06 debug_key_management.so
-rwxr-xr-x. 1 root root    7536 Nov 22 18:06 dialog_examples.so
-rwxr-xr-x. 1 root root   11152 Nov 22 18:06 dialog.so
-rwxr-xr-x. 1 root root   11672 Nov 22 18:06 example_key_management.so
-rwxr-xr-x. 1 root root   20232 Nov 22 18:06 file_key_management.so
-rwxr-xr-x. 1 root root   67824 Nov 22 18:06 ha_example.so
-rwxr-xr-x. 1 root root   91032 Nov 22 18:06 ha_federated.so
-rwxr-xr-x. 1 root root 3452320 Nov 22 18:06 ha_mroonga.so
-rwxr-xr-x. 1 root root  166104 Nov 22 18:06 handlersocket.so
-rwxr-xr-x. 1 root root  926992 Nov 22 18:06 ha_spider.so
-rwxr-xr-x. 1 root root   62152 Nov 22 18:06 ha_test_sql_discovery.so
-rwxr-xr-x. 1 root root   11520 Nov 22 18:06 libdaemon_example.so
-rwxr-xr-x. 1 root root    7776 Nov 22 18:06 locales.so
-rwxr-xr-x. 1 root root   11816 Nov 22 18:06 metadata_lock_info.so
-rwxr-xr-x. 1 root root   12008 Nov 22 18:06 mypluglib.so
-rwxr-xr-x. 1 root root    7016 Nov 22 18:06 mysql_clear_password.so
-rwxr-xr-x. 1 root root    7200 Nov 22 18:06 qa_auth_client.so
-rwxr-xr-x. 1 root root   11592 Nov 22 18:06 qa_auth_interface.so
-rwxr-xr-x. 1 root root    7376 Nov 22 18:06 qa_auth_server.so
-rwxr-xr-x. 1 root root   12480 Nov 22 18:06 query_cache_info.so
-rwxr-xr-x. 1 root root   12136 Nov 22 18:06 query_response_time.so
-rwxr-xr-x. 1 root root   67288 Nov 22 18:06 semisync_master.so
-rwxr-xr-x. 1 root root   16024 Nov 22 18:06 semisync_slave.so
-rwxr-xr-x. 1 root root   61224 Nov 22 18:06 server_audit.so
-rwxr-xr-x. 1 root root   11144 Nov 22 18:06 sha256_password.so
-rwxr-xr-x. 1 root root   11816 Nov 22 18:06 simple_password_check.so
-rwxr-xr-x. 1 root root   11952 Nov 22 18:06 sql_errlog.so
-rwxr-xr-x. 1 root root   12296 Nov 22 18:06 wsrep_info.so

Comment 7 Anthony Messina 2017-11-23 01:34:46 UTC
The issue I see is https://jira.mariadb.org/browse/MDEV-11088, which appears to have been fixed upstream but not working in F27 builds.

Comment 8 Anthony Messina 2017-11-23 01:37:37 UTC
(In reply to Anthony Messina from comment #7)
> The issue I see is https://jira.mariadb.org/browse/MDEV-11088, which appears
> to have been fixed upstream but not working in F27 builds.

https://jira.mariadb.org/browse/MDEV-9321

Comment 9 Michal Schorm 2017-11-23 15:01:42 UTC
Yes, that looks like the issue.

I created (accidentally another) upstream issue tracker: https://jira.mariadb.org/browse/MDEV-14483

Comment 10 Michal Schorm 2017-11-24 03:11:52 UTC
Looking at the upstream fix, I'll probabbly wait until their next release.

However you seem like you really need it, so I'll make a build for you with the patch included.

Can you please test it, once finished?
https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737


Note
 - the build origins from latest branch content, which is 10.2.10 update
 - check Bodhi for more info:
   https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239

Comment 11 Anthony Messina 2017-11-24 21:36:05 UTC
(In reply to Michal Schorm from comment #10)
> Looking at the upstream fix, I'll probabbly wait until their next release.
> 
> However you seem like you really need it, so I'll make a build for you with
> the patch included.
> 
> Can you please test it, once finished?
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737
> 
> 
> Note
>  - the build origins from latest branch content, which is 10.2.10 update
>  - check Bodhi for more info:
>    https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239

It looks like Koji might have some trouble at the moment, so I'll need to try later.

https://koji.fedoraproject.org/koji/taskinfo?taskID=23328738 gives a 503 error.

When I download the koji packages, can I try just updating them on the client side (and leave my server at mariadb-10.2.9-3.fc27.x86_64?

Comment 12 Anthony Messina 2017-11-24 22:00:04 UTC
(In reply to Michal Schorm from comment #10)
> Looking at the upstream fix, I'll probabbly wait until their next release.
> 
> However you seem like you really need it, so I'll make a build for you with
> the patch included.
> 
> Can you please test it, once finished?
> https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737
> 
> 
> Note
>  - the build origins from latest branch content, which is 10.2.10 update
>  - check Bodhi for more info:
>    https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239

Michael, whatever fixes you included in the Koji build for the following worked--I am now able to use GSSAPI authentication from the client and I did not have to do anything different on the server which is still running mariadb-10.2.9-3.fc27.x86_64.

Thank you for your rapid investigation, response, and followup!

The following was used on the client:
dnf install \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-common-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-config-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-embedded-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-errmsg-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-libs-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-10.2.10-2.fc27.x86_64.rpm \
https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-utils-10.2.10-2.fc27.x86_64.rpm

Comment 13 Michal Schorm 2017-11-25 01:12:35 UTC
Glad to hear that.

I used this patch:
https://github.com/MariaDB/mariadb-connector-c/commit/85d150eec156275c6468b5de490a65b1e069007c

mentioned in this issue:
https://jira.mariadb.org/browse/MDEV-14483

Comment 14 Anthony Messina 2018-01-28 23:11:55 UTC
(In reply to Anthony Messina from comment #12)
> (In reply to Michal Schorm from comment #10)
> > Looking at the upstream fix, I'll probabbly wait until their next release.
> > 
> > However you seem like you really need it, so I'll make a build for you with
> > the patch included.
> > 
> > Can you please test it, once finished?
> > https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737
> > 
> > 
> > Note
> >  - the build origins from latest branch content, which is 10.2.10 update
> >  - check Bodhi for more info:
> >    https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239
> 
> Michael, whatever fixes you included in the Koji build for the following
> worked--I am now able to use GSSAPI authentication from the client and I did
> not have to do anything different on the server which is still running
> mariadb-10.2.9-3.fc27.x86_64.
> 
> Thank you for your rapid investigation, response, and followup!
> 
> The following was used on the client:
> dnf install \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-10.2.10-
> 2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-common-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-config-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-
> embedded-10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-errmsg-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-libs-10.
> 2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-
> 10.2.10-2.fc27.x86_64.rpm \
> https://kojipkgs.fedoraproject.org//work/tasks/8738/23328738/mariadb-server-
> utils-10.2.10-2.fc27.x86_64.rpm

Hi Michael.  Unfortunately after completing a fresh F27 install for a new machine, the upstream mariadb packages released to stable (https://bodhi.fedoraproject.org/updates/FEDORA-2017-7b83201239) don't seem to have this fix.  I didn't notice originally since the NVR was the same in your scratch build here:  https://koji.fedoraproject.org/koji/taskinfo?taskID=23328737

If I replace the freshly-installed auth_gssapi_client.so with the one from the scratch build, it works.

From the scratch build:
-rwxr-xr-x. 1 root root   11176 Nov 23 21:40 auth_gssapi_client.so


From the version released to stable:
-rwxr-xr-x. 1 root root   11176 Nov 23 10:23 auth_gssapi_client.so

Comment 15 Anthony Messina 2018-01-29 20:10:19 UTC
This is resolved with mariadb-10.2.12-5.fc27 https://bodhi.fedoraproject.org/updates/FEDORA-2018-66833616aa


Note You need to log in before you can comment on or make changes to this bug.