Details
-
Bug
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
-
None
-
None
-
Server Security
Description
Problem Description
mongokerberos --client --username does not accept full UPN
Steps to Reproduce
The following code where executed on MacOS 11.3.1
User initialised via
kinit -kt ~/Downloads/muser.keytab muser@KRB5.MONGODB-FIELD.COM
|
confirmed creation of TGT
klist
|
Credentials cache: API:48287722-1FB8-4CF6-8B47-DD1CD8EBE907
|
Principal: muser@KRB5.MONGODB-FIELD.COM
|
|
|
Issued Expires Principal
|
May 25 11:22:33 2021 May 25 21:22:33 2021 krbtgt/KRB5.MONGODB-FIELD.COM@KRB5.MONGODB-FIELD.COM
|
Run the following
mongokerberos --client --username muser@KRB5.MONGODB-FIELD.COM --gssapiHostName mdbsvc.krb5.mongodb-field.com
|
Expected Results
Resolving kerberos environment...
|
[OK] Kerberos environment resolved without errors.
|
|
|
Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
|
Performing reverse DNS lookup of the following FQDNs:
|
* mdbsvc.krb5.mongodb-field.com
|
[OK] DNS test successful.
|
|
|
Getting MIT Kerberos KRB5 environment variables...
|
* KRB5CCNAME: not set.
|
* KRB5_CLIENT_KTNAME: not set.
|
* KRB5_CONFIG: not set.
|
* KRB5_KTNAME: not set.
|
* KRB5_TRACE: not set.
|
[OK]
|
|
|
Verifying existence of KRB5 client keytab <keytab doesn't exist>...
|
[OK] Kerberos does not understand client keytabs, and user has not specified one.
|
|
|
Checking principal(s) in KRB5 keytab...
|
[OK] KRB5 keytab is valid.
|
|
|
Fetching KRB5 Config...
|
KRB5 config profile resolved as:
|
[OK] KRB5 config profile resolved without errors.
|
|
|
Attempting client half of GSSAPI conversation...
|
[OK] Client half of GSSAPI conversation completed successfully.
|
Actual Results
Resolving kerberos environment...
|
[OK] Kerberos environment resolved without errors.
|
|
|
Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
|
Performing reverse DNS lookup of the following FQDNs:
|
* mdbsvc.krb5.mongodb-field.com
|
[OK] DNS test successful.
|
|
|
Getting MIT Kerberos KRB5 environment variables...
|
* KRB5CCNAME: not set.
|
* KRB5_CLIENT_KTNAME: not set.
|
* KRB5_CONFIG: not set.
|
* KRB5_KTNAME: not set.
|
* KRB5_TRACE: not set.
|
[OK]
|
|
|
Verifying existence of KRB5 client keytab <keytab doesn't exist>...
|
[OK] Kerberos does not understand client keytabs, and user has not specified one.
|
|
|
Checking principal(s) in KRB5 keytab...
|
[FAIL] Neither client keytab nor credentials cache contains entry with user principal name for specified --user muser@KRB5.MONGODB-FIELD.COM.
|
Additional Notes
However, the following command produces the output in "Expected Results" (omitting "@KRB5.MONGODB-FIELD.COM" from the UPN)
mongokerberos --client -u muser --gssapiHostName mdbsvc.krb5.mongodb-field.com
|