Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-50633

Address use of client keytab by mongokerberos in --server mode

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.9.0
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      Run the tool in server mode without setting the KRB5_CLIENT_KTNAME environment variable. One should not expect this variable to be used while in server mode, but the tool will throw an error that says it can't find the desired service principle in the client keytab. This would be very confusing to a user.

      Show
      Run the tool in server mode without setting the KRB5_CLIENT_KTNAME environment variable. One should not expect this variable to be used while in server mode, but the tool will throw an error that says it can't find the desired service principle in the client keytab. This would be very confusing to a user.
    • Sprint:
      Security 2020-09-21, Security 2020-10-05, Security 2020-10-19, Security 2020-11-02

      Description

      mongokerberos makes some incorrect assumptions about how gss_acquire_creds is used. It will only use the client keytab. We sort of "trick" it by asking it to acquire a service credential even though that function is intended for use only by clients. We account for this in our JSTest by overriding the KRB5_CLIENT_KTNAME environment variable with the service's keytab, which works.

      We should consider three things when fixing this bug:
      1. Is manually overriding (setenv) the KRB5_CLIENT_KTNAME variable a good solution within the tool? The tool does not otherwise need to use this variable.
      2. What should we do about older releases of Kerberos that do not support client keytabs?
      3. What should we do, if anything, about potential warning/error messages from GSSAPI about client keytabs that may confuse users?

        Attachments

          Activity

            People

            Assignee:
            adam.cooper Adam Cooper (Inactive)
            Reporter:
            adam.cooper Adam Cooper (Inactive)
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: