Not able to connect to DB in php with mariadb gssapi, authentication method unknown to client

Question

I am trying to auth users with gssapi using mariadb gssapi plugin in php on a local installation with xampp. I have set up xampp and a local installation which works. Now i want to connect to the db by using the windows ldap user and gssapi authentication.

the problem was somehow discuessed here, but without any results: GSSAPI-Auth with PHP to MariaDB (Windows)

the gssapi authentication for the mariadb seems to work. I created a user in phpmyadmin with authentication method = gssapi. In the CLI i am able to connect, see picture below:

Successful mysql connect with domain user

now when trying to connect with

if (($dbcon=mysqli_connect("localhost","$mysql_userid","$password"))===FALSE) {
    exit("4:Login process failed while connecting to database");
    echo "Debug-Fehlermeldung: " . mysqli_connect_error . PHP_EOL;
}else{
    $auth_result=TRUE;
}

i am getting the following error:

Warning: mysqli_connect(): The server requested authentication method unknown to the client [auth_gssapi_client] in C:\xampp\htdocs\oa5-maria\trunk\login.php on line 82

Warning: mysqli_connect(): (HY000/2054): The server requested authentication method unknown to the client in C:\xampp\htdocs\oa5-maria\trunk\login.php on line 82
4:Login process failed while connecting to database

I have set the default-authentication-plugin=gssapi in the my.ini file. But i have no idea if this is the correct approach.

Do you have any suggestions to solve that problem?

This is my my.ini file:

# Example MySQL config file for small systems.
#
# This is for a system with little memory (<= 64M) where MySQL is only used
# from time to time and it's important that the mysqld daemon
# doesn't use much resources.
#
# You can copy this file to
# C:/xampp/mysql/bin/my.cnf to set global options,
# mysql-data-dir/my.cnf to set server-specific options (in this
# installation this directory is C:/xampp/mysql/data) or
# ~/.my.cnf to set user-specific options.
#
# In this file, you can use all long options that a program supports.
# If you want to know which options a program supports, run the program
# with the "--help" option.

# The following options will be passed to all MySQL clients
[client]
# password       = your_password 
port=3306
socket="C:/xampp/mysql/mysql.sock"


# Here follows entries for some specific programs 

# The MySQL server
default-character-set=utf8mb4
[mysqld]
port=3306
socket="C:/xampp/mysql/mysql.sock"
basedir="C:/xampp/mysql"
tmpdir="C:/xampp/tmp"
datadir="C:/xampp/mysql/data"
pid_file="mysql.pid"
# enable-named-pipe
key_buffer=16M
max_allowed_packet=200M
sort_buffer_size=512K
net_buffer_length=8K
read_buffer_size=256K
read_rnd_buffer_size=512K
myisam_sort_buffer_size=8M
log_error="mysql_error.log"
#neu für authentifizierung
default-authentication-plugin=gssapi

# Change here for bind listening
# bind-address="127.0.0.1" 
# bind-address = ::1          # for ipv6

# Where do all the plugins live
plugin_dir="C:/xampp/mysql/lib/plugin/"

# Don't listen on a TCP/IP port at all. This can be a security enhancement,
# if all processes that need to connect to mysqld run on the same host.
# All interaction with mysqld must be made via Unix sockets or named pipes.
# Note that using this option without enabling named pipes on Windows
# (via the "enable-named-pipe" option) will render mysqld useless!
# 
# commented in by lampp security
#skip-networking
#skip-federated

# Replication Master Server (default)
# binary logging is required for replication
# log-bin deactivated by default since XAMPP 1.4.11
#log-bin=mysql-bin

# required unique id between 1 and 2^32 - 1
# defaults to 1 if master-host is not set
# but will not function as a master if omitted
server-id   =1

# Replication Slave (comment out master section to use this)
#
# To configure this host as a replication slave, you can choose between
# two methods :
#
# 1) Use the CHANGE MASTER TO command (fully described in our manual) -
#    the syntax is:
#
#    CHANGE MASTER TO MASTER_HOST=<host>, MASTER_PORT=<port>,
#    MASTER_USER=<user>, MASTER_PASSWORD=<password> ;
#
#    where you replace <host>, <user>, <password> by quoted strings and
#    <port> by the master's port number (3306 by default).
#
#    Example:
#
#    CHANGE MASTER TO MASTER_HOST='125.564.12.1', MASTER_PORT=3306,
#    MASTER_USER='joe', MASTER_PASSWORD='secret';
#
# OR
#
# 2) Set the variables below. However, in case you choose this method, then
#    start replication for the first time (even unsuccessfully, for example
#    if you mistyped the password in master-password and the slave fails to
#    connect), the slave will create a master.info file, and any later
#    change in this file to the variables' values below will be ignored and
#    overridden by the content of the master.info file, unless you shutdown
#    the slave server, delete master.info and restart the slaver server.
#    For that reason, you may want to leave the lines below untouched
#    (commented) and instead use CHANGE MASTER TO (see above)
#
# required unique id between 2 and 2^32 - 1
# (and different from the master)
# defaults to 2 if master-host is set
# but will not function as a slave if omitted
#server-id       = 2
#
# The replication master for this slave - required
#master-host     =   <hostname>
#
# The username the slave will use for authentication when connecting
# to the master - required
#master-user     =   <username>
#
# The password the slave will authenticate with when connecting to
# the master - required
#master-password =   <password>
#
# The port the master is listening on.
# optional - defaults to 3306
#master-port     =  <port>
#
# binary logging - not required for slaves, but recommended
#log-bin=mysql-bin


# Point the following paths to different dedicated disks
#tmpdir = "C:/xampp/tmp"
#log-update = /path-to-dedicated-directory/hostname

# Uncomment the following if you are using BDB tables
#bdb_cache_size = 4M
#bdb_max_lock = 10000

# Comment the following if you are using InnoDB tables
#skip-innodb
innodb_data_home_dir="C:/xampp/mysql/data"
innodb_data_file_path=ibdata1:10M:autoextend
innodb_log_group_home_dir="C:/xampp/mysql/data"
#innodb_log_arch_dir = "C:/xampp/mysql/data"
## You can set .._buffer_pool_size up to 50 - 80 %
## of RAM but beware of setting memory usage too high
innodb_buffer_pool_size=16M
## Set .._log_file_size to 25 % of buffer pool size
innodb_log_file_size=5M
innodb_log_buffer_size=8M
innodb_flush_log_at_trx_commit=1
innodb_lock_wait_timeout=50

## UTF 8 Settings
#init-connect=\'SET NAMES utf8\'
#collation_server=utf8_unicode_ci
#character_set_server=utf8
#skip-character-set-client-handshake
#character_sets-dir="C:/xampp/mysql/share/charsets"
sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,NO_ENGINE_SUBSTITUTION
log_bin_trust_function_creators=1

character-set-server=utf8mb4
collation-server=utf8mb4_general_ci
[mysqldump]
max_allowed_packet=16M

[mysql]
# Remove the next comment character if you are not familiar with SQL
#safe-updates

[isamchk]
key_buffer=20M
sort_buffer_size=20M
read_buffer=2M
write_buffer=2M

[myisamchk]
key_buffer=20M
sort_buffer_size=20M
read_buffer=2M
write_buffer=2M

[mysqlhotcopy]

lower_case_table_names=0

Answer 1

I have encountered the same error running on Windows 10 with PHP 8.2.1 and MariaDB 11.4.4 and there is an explanation. At least, this happened to me.

In the following example, I'm reproducing "PHP Fatal error: Uncaught mysqli_sql_exception: The server requested authentication method unknown to the client [auth_gssapi_client]". Of course you have to set the database values in order to represent a real database.

// Set the parameters for mysqli_connect().
$Host   = 'localhost';
$User   = 'my_database_user';
$Pass   = 'my_database_password';
$Name   = 'my_database_name';
$Port   = null;
$Socket = null;

// Make some checks...
// This will be the cause of the error.
if (empty($pass)) $Pass = NULL;

// Connect to the database.
// The error will be generated due to a NULL parameter.
$DB = mysqli_connect($Host, $User, $Pass, $Name, $Port, $Socket);
if (mysqli_connect_errno() != 0)
    die('mysqli_connect() error'); 
else
    echo("<p>Connected...</p>");

// Close the Connection.
mysqli_close($DB);

My example:

Before calling mysqli_connect() we make some checks on the parameters, like this:

if (empty($pass)) $Pass = NULL;

In this example, $pass is misspelled, so it is undefined, empty() returns true and $Pass will be set to NULL; If you call mysqli_connect($Host, $User, $Pass, $Name, $Port, $Socket), then $Pass is NULL and returns the error we are discussing here. You can say it's a stupid mistake, but that's usually how it happens.

The explanation:

When mysqli_connect() receives NULL as password, PHP gets the password saved on the mysqli.default_pw. If this value is not set, mysqli_connect() returns the above error. This principle is applicable on all mysqli_connect() parameters and in php.ini file there are entries for them: mysqli.default_port, mysqli.default_socket, mysqli.default_host, mysqli.default_user. If you don't explicitly set a parameter to NULL, there's always a possibility of a non existed value, or an invalid value, etc. Of course, don't try to set these values in php.ini in order to avoid the error. As stated in php.ini, it is a VERY BAD IDEA. Any PHP user can reveal the password with a command like this:

echo get_cfg_var("mysqli.default_pw");

Conclusion:

The best you have to do, is to double and triple check the values of all mysqli_connect() parameters, to see if there is something wrong with them.

Answer 2

The difference between your client and PHP is, that the client is linked against libmariadb (and is therefore able to load the auth_gssapi_plugin, while mysqli is either linked against libmysql or PHP's internal mysqlnd driver.

Beside Kerberos/GSSAPI MariaDB also provides ed25519 and pam authentication (via dialog plugin) which is not supported by libmysql and mysqlnd.

Building ext/mysqli against MariaDB Connector/C unfortunately doesn't work and recent pull requests which fixed that problem were rejected.