[COMPASS-4319] Compass-dev 1.22.0 (6804a345a5) can't auth using Kerberos on RHEL7 Created: 03/Jun/20  Updated: 29/Oct/23  Resolved: 25/Sep/20

Status: Closed
Project: Compass
Component/s: Compass, Connectivity
Affects Version/s: 1.21.2, 1.22.0
Fix Version/s: 1.23.0

Type: Bug Priority: Major - P3
Reporter: Andrey Brindeyev Assignee: Maurizio Casimirri
Resolution: Fixed Votes: 0
Labels: kerberos
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File 1-1.png     PNG File 1.png     PNG File 2.png     PNG File 3.png     PNG File 4.png     PNG File Screen Shot 2020-06-03 at 11.09.24 AM.png     PNG File Screen Shot 2020-06-03 at 11.18.48 AM.png     PNG File Screenshot 2020-09-15 at 16.57.30-1.png     PNG File Screenshot 2020-09-15 at 16.57.30.png     PNG File Screenshot 2020-09-15 at 16.57.52.png     PNG File Screenshot 2020-09-15 at 16.58.02.png     PNG File Screenshot 2020-09-15 at 16.58.17.png    
Issue Links:
Depends
depends on NODE-2731 CMAP Connection type does not provide... Closed
depends on NODE-2754 Publish new version of kerberos Closed
Problem/Incident
Related
Documentation Changes: Not Needed
Sprint: Iteration Huckleberry, Iteration Lime, Iteration Maracuja

 Description   

MongoDB Shell works under the same user:

$ KRB5_TRACE=/dev/stdout mongo --host rhel-73.acme.qa -u Administrator@ACME.QA --authenticationMechanism GSSAPI --authenticationDatabase '$external' --gssapiServiceName mongodbenterprise --eval 'db.runCommand({connectionStatus:1}).authInfo.authenticatedUsers[0]'
MongoDB shell version v4.2.6
connecting to: mongodb://rhel-73.acme.qa:27017/?authMechanism=GSSAPI&authSource=%24external&compressors=disabled&gssapiServiceName=mongodbenterprise
[20086] 1591207829.121207: ccselect module realm chose cache FILE:/tmp/krb5cc_1000 with client principal Administrator@ACME.QA for server principal mongodbenterprise/rhel-73.acme.qa@ACME.QA
[20086] 1591207829.121208: Getting credentials Administrator@ACME.QA -> mongodbenterprise/rhel-73.acme.qa@ACME.QA using ccache FILE:/tmp/krb5cc_1000
[20086] 1591207829.121209: Retrieving Administrator@ACME.QA -> mongodbenterprise/rhel-73.acme.qa@ACME.QA from FILE:/tmp/krb5cc_1000 with result: 0/Success
[20086] 1591207829.121211: Creating authenticator for Administrator@ACME.QA -> mongodbenterprise/rhel-73.acme.qa@ACME.QA, seqnum 372782601, subkey rc4-hmac/1834, session key rc4-hmac/8392
[20086] 1591207829.121212: Negotiating for enctypes in authenticator: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[20086] 1591207829.121217: Read AP-REP, time 1591207830.121213, subkey aes256-cts/5014, seqnum 201794735
Implicit session: session { "id" : UUID("4831e6be-d20c-486b-b36f-dfd7a1a457fc") }
MongoDB server version: 4.2.6
{ "user" : "Administrator@ACME.QA", "db" : "$external" }

MongoDB Compass fails using the same settings (see the attached screenshot).


Generated at Wed Feb 07 22:35:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.