Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-50633

Address use of client keytab by mongokerberos in --server mode

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.9.0
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Fully Compatible
    • ALL
    • Hide

      Run the tool in server mode without setting the KRB5_CLIENT_KTNAME environment variable. One should not expect this variable to be used while in server mode, but the tool will throw an error that says it can't find the desired service principle in the client keytab. This would be very confusing to a user.

      Show
      Run the tool in server mode without setting the KRB5_CLIENT_KTNAME environment variable. One should not expect this variable to be used while in server mode, but the tool will throw an error that says it can't find the desired service principle in the client keytab. This would be very confusing to a user.
    • Security 2020-09-21, Security 2020-10-05, Security 2020-10-19, Security 2020-11-02

      mongokerberos makes some incorrect assumptions about how gss_acquire_creds is used. It will only use the client keytab. We sort of "trick" it by asking it to acquire a service credential even though that function is intended for use only by clients. We account for this in our JSTest by overriding the KRB5_CLIENT_KTNAME environment variable with the service's keytab, which works.

      We should consider three things when fixing this bug:
      1. Is manually overriding (setenv) the KRB5_CLIENT_KTNAME variable a good solution within the tool? The tool does not otherwise need to use this variable.
      2. What should we do about older releases of Kerberos that do not support client keytabs?
      3. What should we do, if anything, about potential warning/error messages from GSSAPI about client keytabs that may confuse users?

            Assignee:
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Reporter:
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: