The Ultimate Guide to High Availability with MariaDB
This is a read-only copy of the MariaDB Knowledgebase generated on 2025-05-12. For the latest, interactive version please visit https://mariadb.com/kb/.

Authentication with gssapi

Contents

  1. Overview
  2. Install Package
  3. Configure
  4. Install Plugin
  5. Create User

Overview

The gssapi authentication plugin validates user credentials against a GSSAPI-based authentication service, like Kerberos or NTLM.

Install Package

The gssapi authentication plugin requires an additional package to be installed on Linux. On CentOS, RHEL, and Rocky Linux:

$ sudo yum install MariaDB-gssapi-server

On Debian and Ubuntu:

$ sudo apt install mariadb-plugin-gssapi-server

On SLES:

$ sudo zypper install MariaDB-gssapi-server

Configure

The gssapi authentication plugin requires some system variables to be configured, including:

  • gssapi_keytab_path
  • gssapi_principal_name

For example:

[mariadb]
...
gssapi_keytab_path=KEYTAB_PATH
gssapi_principal_name=PRINCIPAL_NAME

Install Plugin

The gssapi authentication plugin must be installed before it can be used.

To install with the INSTALL SONAME statement:

INSTALL SONAME 'gssapi';

To install in a configuration file with the plugin_load_add option:

[mariadb]
...
plugin_load_add = auth_gssapi

Create User

To create a user account that uses the gssapi authentication plugin, specify the plugin in the CREATE USER statement:

CREATE USER 'USER'@'192.0.2.%'
   IDENTIFIED VIA gssapi;

An optional realm can be specified:

CREATE USER 'USER'@'192.0.2.%'
   IDENTIFIED VIA gssapi USING 'USER@DOMAIN';
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.