Subject Re: [firebird-support] Falling at second hurdle ...
Author Mark Rotteveel
On 17-1-2019 22:11, Lester Caine lester@... [firebird-support]
> On 17/01/2019 20:36, Mark Rotteveel mark@...
> [firebird-support] wrote:
>>> WHAT am I not reading here?
>> I'd suggest to explicitly specify the user manager plugin you want to
>> use instead of leaving it to the specific configuration (doing this will
>> also detect problems if an expected user manager is not installed or not
>> the first in the list).
>> Eg, use
>> create user sysdba password '..' using plugin Legacy_UserManager;
> Statement failed, SQLSTATE = 23000
> add record error
> -violation of PRIMARY or UNIQUE KEY constraint "INTEG_2" on table
> -Problematic key value is ("PLG$USER_NAME" = 'SYSDBA')

Ok, then we can be 100% sure that the Legacy_Auth SYSDBA exists.

>> Note: this requires that specified plugin is listed in the UserManager
>> config in firebird.conf.
> WireCrypt = Disabled
> AuthServer = Legacy_Auth, Srp, WinSspi
> AuthClient = Legacy_Auth, Srp, Win_Sspi
> UserManager = Legacy_UserManager
>> Also, what is the output of `select SEC$USER_NAME, SEC$PLUGIN from
> Got two users currently
> SYSDBA Legacy_UserManager
> LSCES Legacy_UserManager
> AH ... strip the unused modes ...
> AuthServer = Legacy_Auth
> AuthClient = Legacy_Auth
> And I can access it from Flamerobin on the development machine.

This suggests that the client used by FlameRobin used the order Srp,
Legacy_Auth. There were several bugs in the early Firebird 3 releases
related to authentication, which may have been involved as well.

Checking the tracker, I think your problem is/was CORE-5485. I that
thought was fixed, but it is still open because Alex disagrees with my
assessment that any authentication related failure should continue with
the next plugin until all plugins have been tried. I probably had mixed
it up with the similar CORE-5225 which is fixed.

> But PHP gives
> fbird_connect(): Incompatible wire encryption levels requested on client
> and server
> That is PHP on the same machine as FB3

That suggests this client used a config with WireCrypt = Required (which
isn't supported by Legacy_Auth and which you explicitly disabled on the
server), or maybe there was a client bug that isn't listed in the
tracker (but I don't think so).

In any case, glad to hear you fixed it by upgrading.

However, given all you methods of connecting seem to support Srp, why do
you insist on using Legacy_Auth? (out of curiosity)

Mark Rotteveel