tiberius icon indicating copy to clipboard operation
tiberius copied to clipboard
verified publisher icon prisma

Fix GSSAPI Kerberos Authentication in Debug Mode

Open greenlonk opened this issue 1 year ago • 2 comments

Problem

When using AuthMethod::IntegratedSecurity on Windows, the library behaves just as you would expect. However, when I tried to run my code on a Linux machine with proper Kerberos authentication set up, I would always get the following panic message when run in debug mode (cargo run --debug):

thread 'tokio-runtime-worker' panicked at library\core\src\panicking.rs:220:5:
unsafe precondition(s) violated: slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`

Solution

Due to changes in the standard library (see https://stackoverflow.com/a/78504630 ), it is possible for debug assertions in core and std to panic: These assertions now fire when compiled in debug mode, even if the precompiled standard library was compiled in release mode. This caused a panic when I tried to connect using AuthMethod::IntegratedSecurity on Linux when run in debug mode, but not in release mode.

After updating the dependency for libgssapi to the latest version from 0.4.5 to 0.8.1 (and making small adjustments in src/client/connection.rs to reflect the changes with proper initialization), this issue got fixed.

greenlonk avatar Dec 20 '24 12:12 greenlonk

Is there anything that I can do to help to get this moved into review and through the process?

The project which I am working on needs to utilize integrated security on a Linux host, and I can confirm that building with this fix in prisma/prisma-engines and enabling the feature integrated-auth-gssapi for Unix enables this functionality for Prisma.

For context, in prisma-engines, I am able to build custom query and schema engines to use in the Prisma ORM by adding this locally:

[target.'cfg(any(target_os = "unix"))'.dependencies.tiberius]
path = "../../tiberius" <--NOTE: Changed for the local build/testing
optional = false
default-features = true
features = [
  "integrated-auth-gssapi"
]

This is critical for my current team because connecting to SQL Server via Integrated Security is a requirement from the Center for Internet Security for their Level 1 Hardened SQL Server benchmark.

NOTE: 8.2 is the newest current version of the libgssapi library, which is what I tested against.

Please let me know any way that I can help.

robbynshaw avatar Feb 06 '25 22:02 robbynshaw

@robbynshaw Thank you for confirming the issue. I just happened to find this fix by accident while tinkering with some data pipeline stuff in Rust. Honestly, I do not know if this project is even maintained anymore. Maybe it would be wise to reach out to Prisma directly?

greenlonk avatar Feb 15 '25 19:02 greenlonk

We are also facing this roadblock, it is not ideal not being able to use debug mode. Is this project dead?

polsevev avatar Jul 29 '25 11:07 polsevev

Thank you!

robbynshaw avatar Sep 17 '25 18:09 robbynshaw