Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2180

Kerberos on Windows should not pass username to SSPI when password is not set

    XMLWordPrintableJSON

Details

    • Needed
    • Hide

      All drivers should verify this behavior. It's likely that some drivers are already doing the right thing.

      Show
      All drivers should verify this behavior. It's likely that some drivers are already doing the right thing.

    Description

      Summary

      What is the problem or use case, what are we trying to achieve?

      Users are not able to connect using Kerberos on Windows when specifying only a username and no password. This is happening because the Node.js driver (and possibly/likely other drivers) differ from the behavior of the legacy shell in this regard, and we think that the legacy shell behavior is the preferable one. Specifically:

      If a username without a password is provided, the legacy shell passes that username to the server, but not to the Windows SSPI API, i.e. from SSPI it fetches the credentials of the current user regardless of the specified username. This was an intentional choice as part of SERVER-45050 (compare https://github.com/mongodb/mongo/blob/5bbadc66ed462aed3cc4f5635c5003da6171c25d/src/mongo/client/sasl_sspi.cpp#L182 and https://github.com/mongodb-js/kerberos/blob/b536f1a921985126bb462ae264f94f5a8319d00b/src/win32/kerberos_sspi.cc#L82).

      Motivation

      Who is the affected end user?

      Users of Kerberos authentication on Windows.

      How does this affect the end user?

      Users don't know why a connection string/set of options that works with the legacy shell does not work with drivers or mongosh.

      How likely is it that this problem or use case will occur?

      I imagine it's fairly common for the subset of users that use Kerberos on Windows.

      If the problem does occur, what are the consequences and how severe are they?

      They end up being stumped about being unable to connect.

      Is this issue urgent?

      Not particularly, but with mongosh fully replacing the legacy shell in the 6.0 server release, it would be good to have this resolved before then.

      Is this ticket required by a downstream team?

      This is split from MONGOSH-1059.

      Is this ticket only for tests?

      No.

      Attachments

        Issue Links

          related to

          Bug - A problem which impairs or prevents the functions of the product. SERVER-45050 Change Windows Kerberos client to use default credentials when no password is specified

          • Major - P3 - Major loss of function.
          • Closed
          split to

          Bug - A problem which impairs or prevents the functions of the product. CDRIVER-4291 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Backlog

          Bug - A problem which impairs or prevents the functions of the product. GODRIVER-2307 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Backlog

          Bug - A problem which impairs or prevents the functions of the product. RUBY-2906 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Backlog

          Bug - A problem which impairs or prevents the functions of the product. CXX-2451 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Blocked

          Bug - A problem which impairs or prevents the functions of the product. PHPC-2070 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Blocked

          Bug - A problem which impairs or prevents the functions of the product. CSHARP-4050 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MOTOR-891 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. NODE-3982 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PYTHON-3121 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. RUST-1181 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SWIFT-1486 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. JAVA-4491 Kerberos on Windows should not pass username to SSPI when password is not set

          • Major - P3 - Major loss of function.
          • Closed

          Activity

            People

              jeff.yemin@mongodb.com Jeffrey Yemin
              anna.henningsen@mongodb.com Anna Henningsen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: