[SERVER-11356] Authentication with Kerberos Crashes Mongod Created: 24/Oct/13  Updated: 11/Jul/16  Resolved: 01/Nov/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 2.5.3
Fix Version/s: 2.5.4

Type: Bug Priority: Critical - P2
Reporter: Craig Wilson Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File crashed server log.txt    
Issue Links:
Depends
Operating System: ALL
Steps To Reproduce:

KDC = Windows 2012AD
Mongod 2.5.3 running on Windows 2008R2/Windows 2012R2
Mongo shell 2.5.3 running on Windows 8.1 not joined to the domain

Participants:

 Description   

The SocketException seen below is indicating that mongod is no longer running, i.e. the process has exited. I have to go back and restart it after manually deleting the lock file.

C:\> mongo <server> -authenticationMechanism=GSSAPI -authenticationDatabase=$external -username <user>@<domain> -password <password>

MongoDB shell version: 2.5.3
connecting to: <server>/test
2013-10-24T13:12:35.072-0500 Socket recv() errno:10054 An existing connection was forcibly closed by the remote host. 23.96.25.195:27017
2013-10-24T13:12:35.094-0500 SocketException: remote: 23.96.25.195:27017 error:
9001 socket exception [RECV_ERROR] server [23.96.25.195:27017]
2013-10-24T13:12:35.111-0500 DBClientCursor::init call() failed
2013-10-24T13:12:35.124-0500 Error: 10276 DBClientBase::findN: transport error:
qa379-win2008R2.cloudapp.net:27017 ns: $external.$cmd query:

{ saslContinue: 1, payload: BinData, conversationId: 1 }

at src/mongo/shell/db.js:1175
exception: login failed



 Comments   
Comment by auto [ 01/Nov/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11356 pass freeable pointers to Free, rather than a stack-allocated address
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/e69ea6b8f08b574c3b5e6dab78e7153c18666f63

Comment by Eric Milkie [ 30/Oct/13 ]

The problem is still there for builds coming from MCI. But when I build the same mongod.exe myself with VS2013, the code works fine.

Comment by auto [ 28/Oct/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11356 fix DecryptMessage; avoid memory corruption
Branch: master
https://github.com/mongodb/mongo/commit/4b146301e61a7bf6dbb1c046a2a8698811f20fd3

Comment by Eric Milkie [ 28/Oct/13 ]

I believe this is now fixed. We should have a new build tonight and you can install the new MSI to verify.

Comment by auto [ 28/Oct/13 ]

Author:

{u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-11356 fix DecryptMessage; avoid memory corruption
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/6a4304a9f8a551abe9466fafc6ce7b813c108fad

Comment by Eric Milkie [ 25/Oct/13 ]

In your reproduction instructions, what user are you logged in as? Is this something I can reproduce exactly?
I'm just having silly troubles trying to reproduce it using my login.

Comment by Craig Wilson [ 25/Oct/13 ]

I have also confirmed that this happens when using the .NET driver, so it's not necessarily an issue in the mongo shell.

Comment by Craig Wilson [ 24/Oct/13 ]

Deleted previous comment, it was incorrect and a config error on my part. This process dies when running interactively or as a windows service. Same logs. It only seems to happen when the credentials passed to the program are correct. As in, we get done, and then something happens. When using incorrect credentials, or starting mongod under the wrong account, we don't get far enough for this to happen.

Comment by Craig Wilson [ 24/Oct/13 ]

Yeah, I might not have everything setup correctly. Hit this when trying to verify that certain things were hooked up. Regardless, it shouldn't just exit the process.

Yes, let me attempt to run interactively and see what happens. I'll report back asap.

Comment by Eric Milkie [ 24/Oct/13 ]

Also can you try reproducing this by running mongod interactively rather than as a service? I wonder if there is an issue with exceptions and not logging properly when it's a service.

Comment by Eric Milkie [ 24/Oct/13 ]

I tried authenticating as qa379-user on qa379-win2008R2 itself, using AD0\milkie, but it tells me "the specified target is unknown or unreachable", which suggests that it can't find the KDC?

Generated at Thu Feb 08 03:25:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.