Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2180

Kerberos on Windows should not pass username to SSPI when password is not set

XMLWordPrintableJSON

    • Needed
    • Hide

      All drivers should verify this behavior. It's likely that some drivers are already doing the right thing.

      Show
      All drivers should verify this behavior. It's likely that some drivers are already doing the right thing.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      NODE-3982 Done kerberos-2.0.0
      CDRIVER-4291 Fixed 1.24.0, 1.23.6
      CXX-2451 Fixed 3.8.0
      CSHARP-4050 Done
      GODRIVER-2307 Backlog
      JAVA-4491 Works as Designed
      MOTOR-891 Won't Do
      PYTHON-3121 Won't Do
      PHPC-2070 Fixed 1.16.0
      RUBY-2906 Backlog
      RUST-1181 Won't Do
      SWIFT-1486 Won't Do
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion NODE-3982 Done kerberos-2.0.0 CDRIVER-4291 Fixed 1.24.0, 1.23.6 CXX-2451 Fixed 3.8.0 CSHARP-4050 Done GODRIVER-2307 Backlog JAVA-4491 Works as Designed MOTOR-891 Won't Do PYTHON-3121 Won't Do PHPC-2070 Fixed 1.16.0 RUBY-2906 Backlog RUST-1181 Won't Do SWIFT-1486 Won't Do

      Summary

      What is the problem or use case, what are we trying to achieve?

      Users are not able to connect using Kerberos on Windows when specifying only a username and no password. This is happening because the Node.js driver (and possibly/likely other drivers) differ from the behavior of the legacy shell in this regard, and we think that the legacy shell behavior is the preferable one. Specifically:

      If a username without a password is provided, the legacy shell passes that username to the server, but not to the Windows SSPI API, i.e. from SSPI it fetches the credentials of the current user regardless of the specified username. This was an intentional choice as part of SERVER-45050 (compare https://github.com/mongodb/mongo/blob/5bbadc66ed462aed3cc4f5635c5003da6171c25d/src/mongo/client/sasl_sspi.cpp#L182 and https://github.com/mongodb-js/kerberos/blob/b536f1a921985126bb462ae264f94f5a8319d00b/src/win32/kerberos_sspi.cc#L82).

      Motivation

      Who is the affected end user?

      Users of Kerberos authentication on Windows.

      How does this affect the end user?

      Users don't know why a connection string/set of options that works with the legacy shell does not work with drivers or mongosh.

      How likely is it that this problem or use case will occur?

      I imagine it's fairly common for the subset of users that use Kerberos on Windows.

      If the problem does occur, what are the consequences and how severe are they?

      They end up being stumped about being unable to connect.

      Is this issue urgent?

      Not particularly, but with mongosh fully replacing the legacy shell in the 6.0 server release, it would be good to have this resolved before then.

      Is this ticket required by a downstream team?

      This is split from MONGOSH-1059.

      Is this ticket only for tests?

      No.

            Assignee:
            jeff.yemin@mongodb.com Jeffrey Yemin
            Reporter:
            anna.henningsen@mongodb.com Anna Henningsen
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: