Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-57184

mongokerberos --client --username does not accept valid UPN

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 6.0 Desired
    • Component/s: None
    • Labels:
      None
    • Sprint:
      Security 2021-09-06

      Description

      Problem Description

      mongokerberos --client --username does not accept full UPN

      Steps to Reproduce

      The following code where executed on MacOS 11.3.1

      User initialised via

      kinit -kt ~/Downloads/muser.keytab muser@KRB5.MONGODB-FIELD.COM
      

      confirmed creation of TGT

      klist
      Credentials cache: API:48287722-1FB8-4CF6-8B47-DD1CD8EBE907
              Principal: muser@KRB5.MONGODB-FIELD.COM
       
        Issued                Expires               Principal
      May 25 11:22:33 2021  May 25 21:22:33 2021  krbtgt/KRB5.MONGODB-FIELD.COM@KRB5.MONGODB-FIELD.COM
      

      Run the following

      mongokerberos --client --username muser@KRB5.MONGODB-FIELD.COM --gssapiHostName mdbsvc.krb5.mongodb-field.com
      

      Expected Results

      Resolving kerberos environment...
      [OK] Kerberos environment resolved without errors.
       
      Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
      Performing reverse DNS lookup of the following FQDNs:
      	* mdbsvc.krb5.mongodb-field.com
      [OK] DNS test successful.
       
      Getting MIT Kerberos KRB5 environment variables...
      	* KRB5CCNAME: not set.
      	* KRB5_CLIENT_KTNAME: not set.
      	* KRB5_CONFIG: not set.
      	* KRB5_KTNAME: not set.
      	* KRB5_TRACE: not set.
      [OK]
       
      Verifying existence of KRB5 client keytab <keytab doesn't exist>...
      [OK] Kerberos does not understand client keytabs, and user has not specified one.
       
      Checking principal(s) in KRB5 keytab...
      [OK] KRB5 keytab is valid.
       
      Fetching KRB5 Config...
      KRB5 config profile resolved as:
      [OK] KRB5 config profile resolved without errors.
       
      Attempting client half of GSSAPI conversation...
      [OK] Client half of GSSAPI conversation completed successfully.
      

      Actual Results

      Resolving kerberos environment...
      [OK] Kerberos environment resolved without errors.
       
      Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
      Performing reverse DNS lookup of the following FQDNs:
      	* mdbsvc.krb5.mongodb-field.com
      [OK] DNS test successful.
       
      Getting MIT Kerberos KRB5 environment variables...
      	* KRB5CCNAME: not set.
      	* KRB5_CLIENT_KTNAME: not set.
      	* KRB5_CONFIG: not set.
      	* KRB5_KTNAME: not set.
      	* KRB5_TRACE: not set.
      [OK]
       
      Verifying existence of KRB5 client keytab <keytab doesn't exist>...
      [OK] Kerberos does not understand client keytabs, and user has not specified one.
       
      Checking principal(s) in KRB5 keytab...
      [FAIL] Neither client keytab nor credentials cache contains entry with user principal name for specified --user muser@KRB5.MONGODB-FIELD.COM.
      

      Additional Notes

      However, the following command produces the output in "Expected Results" (omitting "@KRB5.MONGODB-FIELD.COM" from the UPN)

      mongokerberos --client -u muser --gssapiHostName mdbsvc.krb5.mongodb-field.com
      

        Attachments

          Activity

            People

            Assignee:
            backlog-server-security Backlog - Security Team
            Reporter:
            raymond.hu Raymond Hu
            Participants:
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: