Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-57184

mongokerberos --client --username does not accept valid UPN

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Server Security

      Problem Description

      mongokerberos --client --username does not accept full UPN

      Steps to Reproduce

      The following code where executed on MacOS 11.3.1

      User initialised via 

      kinit -kt ~/Downloads/muser.keytab muser@KRB5.MONGODB-FIELD.COM

      confirmed creation of TGT

      klist
Credentials cache: API:48287722-1FB8-4CF6-8B47-DD1CD8EBE907
        Principal: muser@KRB5.MONGODB-FIELD.COM

  Issued                Expires               Principal
May 25 11:22:33 2021  May 25 21:22:33 2021  krbtgt/KRB5.MONGODB-FIELD.COM@KRB5.MONGODB-FIELD.COM

      Run the following

      mongokerberos --client --username muser@KRB5.MONGODB-FIELD.COM --gssapiHostName mdbsvc.krb5.mongodb-field.com

      Expected Results

      Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.

Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
Performing reverse DNS lookup of the following FQDNs:
	* mdbsvc.krb5.mongodb-field.com
[OK] DNS test successful.

Getting MIT Kerberos KRB5 environment variables...
	* KRB5CCNAME: not set.
	* KRB5_CLIENT_KTNAME: not set.
	* KRB5_CONFIG: not set.
	* KRB5_KTNAME: not set.
	* KRB5_TRACE: not set.
[OK]

Verifying existence of KRB5 client keytab <keytab doesn't exist>...
[OK] Kerberos does not understand client keytabs, and user has not specified one.

Checking principal(s) in KRB5 keytab...
[OK] KRB5 keytab is valid.

Fetching KRB5 Config...
KRB5 config profile resolved as:
[OK] KRB5 config profile resolved without errors.

Attempting client half of GSSAPI conversation...
[OK] Client half of GSSAPI conversation completed successfully.

      Actual Results

      Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.

Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
Performing reverse DNS lookup of the following FQDNs:
	* mdbsvc.krb5.mongodb-field.com
[OK] DNS test successful.

Getting MIT Kerberos KRB5 environment variables...
	* KRB5CCNAME: not set.
	* KRB5_CLIENT_KTNAME: not set.
	* KRB5_CONFIG: not set.
	* KRB5_KTNAME: not set.
	* KRB5_TRACE: not set.
[OK]

Verifying existence of KRB5 client keytab <keytab doesn't exist>...
[OK] Kerberos does not understand client keytabs, and user has not specified one.

Checking principal(s) in KRB5 keytab...
[FAIL] Neither client keytab nor credentials cache contains entry with user principal name for specified --user muser@KRB5.MONGODB-FIELD.COM.

      Additional Notes

      However, the following command produces the output in "Expected Results" (omitting "@KRB5.MONGODB-FIELD.COM" from the UPN)

      mongokerberos --client -u muser --gssapiHostName mdbsvc.krb5.mongodb-field.com

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            raymond.hu@mongodb.com Raymond Hu
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: