[GODRIVER-818] Go driver does not respect KRB5CCNAME environment variable Created: 08/Feb/19  Updated: 27/Oct/23  Resolved: 14/Feb/19

Status: Closed
Project: Go Driver
Component/s: Authentication
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Timothy Olsen (Inactive) Assignee: Jeffrey Yemin
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File krb_go_driver.go     File krb_mgo.go     File mongod.conf    
Issue Links:
Depends
Related
is related to GODRIVER-831 GSSAPI Authentication starts SASL con... Closed

 Description   

I am having trouble getting the Go driver to pay attention to the KRB5CCNAME environment variable for the location of the user's ticket cache:

tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5CCNAME=/tmp/myticketcache kinit -kt atmtesting/assets/user.keytab ldapz_kerberos2@LDAPTEST.10GEN.CC
tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5CCNAME=/tmp/myticketcache klist
Ticket cache: FILE:/tmp/myticketcache
Default principal: ldapz_kerberos2@LDAPTEST.10GEN.CC
 
Valid starting       Expires              Service principal
02/08/2019 16:04:36  02/09/2019 16:04:35  krbtgt/LDAPTEST.10GEN.CC@LDAPTEST.10GEN.CC
tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5CCNAME=/tmp/myticketcache KRB5_TRACE=/dev/stdout go run -tags gssapi ~/tst/krb_go_driver.go
[18753] 1549659900.817085: Convert service mockservice (service with host as instance) on host localhost to principal
[18753] 1549659900.817903: Remote host after forward canonicalization: localhost
[18753] 1549659900.818481: Remote host after reverse DNS processing: localhost
[18753] 1549659900.818840: Got service principal mockservice/localhost@
[18753] 1549659900.819391: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.820009: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.820728: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.821306: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.821874: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.822325: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.822814: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.823263: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.877300: Convert service mockservice (service with host as instance) on host localhost to principal
[18753] 1549659900.877816: Remote host after forward canonicalization: localhost
[18753] 1549659900.878113: Remote host after reverse DNS processing: localhost
[18753] 1549659900.878198: Got service principal mockservice/localhost@
[18753] 1549659900.878726: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.879268: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.879893: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.880539: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.881150: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.881731: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.882152: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[18753] 1549659900.882648: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
panic: auth error: unable to authenticate using mechanism "GSSAPI": unable to negotiate with server: Success(589824,100001)
 
goroutine 1 [running]:
main.main()
	/home/tim/tst/krb_go_driver.go:39 +0x706
exit status 2
tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ 

The Go driver is looking in /etc/krb5/user/1000/client.keytab instead of /tmp/myticketcache .

Attaching krb_go_driver.go and the mongod.conf for MongoDB



 Comments   
Comment by Jeffrey Yemin [ 14/Feb/19 ]

Turns out the environment variable was a red herring. Authentication fails with or without it. The root cause is actually GODRIVER-831.

Comment by Timothy Olsen (Inactive) [ 14/Feb/19 ]

Attached krb_mgo.go

Comment by Timothy Olsen (Inactive) [ 14/Feb/19 ]

The kerberos config file does not seem to make a difference.  Whether I specify KRB5_CONFIG or not, the result is the same.  Maybe kerberos is able to get everything it needs from the keytab file in order to get tickets.

First I get a ticket:

tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5_CONFIG=FILE:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm/atmtesting/assets/krb5.conf KRB5CCNAME=FILE:/tmp/myticketcache KRB5_TRACE=/dev/stdout kinit -kt atmtesting/assets/user.keytab ldapz_kerberos2@LDAPTEST.10GEN.CC
[2055] 1550157954.578478: Getting initial credentials for ldapz_kerberos2@LDAPTEST.10GEN.CC
[2055] 1550157954.580241: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1
[2055] 1550157954.580636: Sending request (187 bytes) to LDAPTEST.10GEN.CC
[2055] 1550157954.581163: Resolving hostname ldaptest.10gen.cc
[2055] 1550157954.582964: Sending initial UDP request to dgram 54.225.237.121:88
[2055] 1550157954.591082: Received answer (743 bytes) from dgram 54.225.237.121:88
[2055] 1550157954.650103: Response was not from master KDC
[2055] 1550157954.650349: Processing preauth types: 19
[2055] 1550157954.650709: Selected etype info: etype aes256-cts, salt "", params ""
[2055] 1550157954.651184: Produced preauth for next request: (empty)
[2055] 1550157954.651686: Salt derived from principal: LDAPTEST.10GEN.CCldapz_kerberos2
[2055] 1550157954.652068: Getting AS key, salt "LDAPTEST.10GEN.CCldapz_kerberos2", params ""
[2055] 1550157954.653601: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:atmtesting/assets/user.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[2055] 1550157954.653732: AS key obtained from gak_fct: aes256-cts/3C41
[2055] 1550157954.654110: Decrypted AS reply; session key is: aes256-cts/6C0B
[2055] 1550157954.654366: FAST negotiation: available
[2055] 1550157954.654630: Initializing FILE:/tmp/myticketcache with default princ ldapz_kerberos2@LDAPTEST.10GEN.CC
[2055] 1550157954.655289: Removing ldapz_kerberos2@LDAPTEST.10GEN.CC -> krbtgt/LDAPTEST.10GEN.CC@LDAPTEST.10GEN.CC from FILE:/tmp/myticketcache
[2055] 1550157954.655507: Storing ldapz_kerberos2@LDAPTEST.10GEN.CC -> krbtgt/LDAPTEST.10GEN.CC@LDAPTEST.10GEN.CC in FILE:/tmp/myticketcache
[2055] 1550157954.655815: Storing config in FILE:/tmp/myticketcache for krbtgt/LDAPTEST.10GEN.CC@LDAPTEST.10GEN.CC: fast_avail: yes
[2055] 1550157954.656149: Removing ldapz_kerberos2@LDAPTEST.10GEN.CC -> krb5_ccache_conf_data/fast_avail/krbtgt\/LDAPTEST.10GEN.CC\@LDAPTEST.10GEN.CC@X-CACHECONF: from FILE:/tmp/myticketcache
[2055] 1550157954.656313: Storing ldapz_kerberos2@LDAPTEST.10GEN.CC -> krb5_ccache_conf_data/fast_avail/krbtgt\/LDAPTEST.10GEN.CC\@LDAPTEST.10GEN.CC@X-CACHECONF: in FILE:/tmp/myticketcache
tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5_CONFIG=FILE:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm/atmtesting/assets/krb5.conf KRB5CCNAME=FILE:/tmp/myticketcache KRB5_TRACE=/dev/stdout klist
Ticket cache: FILE:/tmp/myticketcache
Default principal: ldapz_kerberos2@LDAPTEST.10GEN.CC
 
 
Valid starting       Expires              Service principal
02/14/2019 10:25:54  02/15/2019 10:25:54  krbtgt/LDAPTEST.10GEN.CC@LDAPTEST.10GEN.CC 

Then if I try to run the go driver program:

tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5_CONFIG=FILE:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm/atmtesting/assets/krb5.conf KRB5CCNAME=FILE:/tmp/myticketcache KRB5_TRACE=/dev/stdout go run -tags gssapi ~/krb_go_driver.go
[2096] 1550158243.102521: Convert service mockservice (service with host as instance) on host localhost to principal
[2096] 1550158243.102701: Remote host after reverse DNS processing: localhost
[2096] 1550158243.103047: Got service principal mockservice/localhost@LDAPTEST.10GEN.CC
[2096] 1550158243.109431: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.114911: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.119955: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.125256: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.130231: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.134547: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.138796: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.147778: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.216677: Convert service mockservice (service with host as instance) on host localhost to principal
[2096] 1550158243.216858: Remote host after reverse DNS processing: localhost
[2096] 1550158243.217238: Got service principal mockservice/localhost@LDAPTEST.10GEN.CC
[2096] 1550158243.220474: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.224353: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.229439: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.234481: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.239599: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.243675: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.247414: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
[2096] 1550158243.252244: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC from FILE:/etc/krb5/user/1000/client.keytab (vno 0, enctype 0) with result: 2/Key table file '/etc/krb5/user/1000/client.keytab' not found
panic: auth error: unable to authenticate using mechanism "GSSAPI": unable to negotiate with server: Success(589824,100001)
 
goroutine 1 [running]:
main.main()
	/home/tim/krb_go_driver.go:39 +0x706
exit status 2
tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ 

But mgo works:

tim@vbox-ubuntu14:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm$ KRB5_CONFIG=FILE:/media/sf_shared/mms-automation/go_planner/src/com.tengen/cm/atmtesting/assets/krb5.conf KRB5CCNAME=FILE:/tmp/myticketcache KRB5_TRACE=/dev/stdout KRB5_TRACE=/dev/stdout go run -tags sasl ~/tst/krb_mgo.go 
[2172] 1550158313.564424: Convert service mockservice (service with host as instance) on host localhost to principal
[2172] 1550158313.564595: Remote host after reverse DNS processing: localhost
[2172] 1550158313.564934: Got service principal mockservice/localhost@LDAPTEST.10GEN.CC
[2172] 1550158313.567154: ccselect module realm chose cache FILE:/tmp/myticketcache with client principal ldapz_kerberos2@LDAPTEST.10GEN.CC for server principal mockservice/localhost@LDAPTEST.10GEN.CC
[2172] 1550158313.567417: Getting credentials ldapz_kerberos2@LDAPTEST.10GEN.CC -> mockservice/localhost@LDAPTEST.10GEN.CC using ccache FILE:/tmp/myticketcache
[2172] 1550158313.567537: Retrieving ldapz_kerberos2@LDAPTEST.10GEN.CC -> mockservice/localhost@LDAPTEST.10GEN.CC from FILE:/tmp/myticketcache with result: 0/Success
[2172] 1550158313.567972: Creating authenticator for ldapz_kerberos2@LDAPTEST.10GEN.CC -> mockservice/localhost@LDAPTEST.10GEN.CC, seqnum 94750000, subkey aes256-cts/7795, session key aes256-cts/CC8A
[2172] 1550158313.619323: Convert service mockservice (service with host as instance) on host localhost to principal
[2172] 1550158313.619333: Remote host after reverse DNS processing: localhost
[2172] 1550158313.619343: Got service principal mockservice/localhost@LDAPTEST.10GEN.CC
[2172] 1550158313.619382: Read AP-REP, time 1550158313.568051, subkey aes256-cts/2EF8, seqnum 304612762
Result: map[ok:1]

Whether I specify KRB5_CONFIG or not makes no difference. Prepending the KRB5_CONFIG with FILE:/ or not also makes no difference. Prepending KRB5CCNAME with FILE:/ or not makes no difference as well. Happy to post output from any of those combinations or anything else you can think of to try.

Attaching krb_mgo.go now.

Comment by Jeffrey Yemin [ 13/Feb/19 ]

Hi Tim,

Been discussing this over Slack with craig.wilson@mongodb.com and spencer.jackson

The main difference is that the Go driver uses libkrb5 directly, whereas mgo uses Cyrus SASL (which uses libkrb5). Comparing our use of libkrb5 with Cyrus yields a lot of differences in how that library is used. We're trying to figure out the root cause.

spencer.jackson also asks two things:

1. Try with KRB5CCNAME=FILE:/tmp/myticketcache
2. Post your krb5.conf file

Comment by Timothy Olsen (Inactive) [ 08/Feb/19 ]

What is the file /etc/krb5/user/1000/client.keytab anyway? There's not even a /etc/krb5 directory on my machine. The default ticket cache for kinit is /tmp/krb5cc_1000

Generated at Thu Feb 08 08:35:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.