When configuring a sharded cluster with authentication in localhost bypass mode, you have to add a shard before you add the first user on a database other than admin or config, or else you can't add a shard. While we are working on getting this documented, it still isn't intuitive.

It would be better to be able to add a user, or have a user database pre-populated with a clusterAdmin level user, prior to adding shards.

This is primarily an issue if the first user you plan to add is on the $external database, say because the user is to be authenticated via Kerberos of LDAP proxy.