[SERVER-13885] Kerberos Authentication on Windows from mongo client only works with FQDN Created: 08/May/14 Updated: 16/Nov/21 Resolved: 14/Oct/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Shell |
| Affects Version/s: | 2.6.1 |
| Fix Version/s: | 3.2.0-rc0 |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | David McLennan | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | kerberos | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||
| Steps To Reproduce: | Using the Mongo command line client supplied in the windows enterprise build of 2.6.1, connect using Kerberos authentication without supplying a FQDN in the URL. |
||||||||||||||||||||||||||||
| Sprint: | Security 8 08/28/15, Security 9 (09/18/15), Security A 10/09/15 | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
|
When authenticating from a Windows 7 2.6.1 enterprise client to a MongoDB 2.4.9 enterprise instance using Kerberos, the connection will only succeed if the FQDN is used in the URL instead of the short host name. Clients on Linux seem unaffected by this problem. Example 1 - Using FQDN in the URL and everything works; C:\Apps\MongoDB\2.6.1\bin>mongo host10601.intranet.mydomain.com:27118/admin - Example 2 - Using short name and get a GSSAPI error; C:\Apps\MongoDB\2.6.1\bin>mongo host10601:27118/admin -authenticationDatabase= Example 3 - DNS lookup of short name showing that FQDN is available; Non-authoritative answer: |
| Comments |
| Comment by Spencer Jackson [ 15/Oct/15 ] | ||||||
|
I closed this ticket with the following commit:
The wrong ticket number was included in the commit name. | ||||||
| Comment by Spencer Jackson [ 14/Oct/15 ] | ||||||
|
This has added a new command to Windows copies of the shell. It should probably have a note for those who need to do this. | ||||||
| Comment by Eric Milkie [ 09/May/14 ] | ||||||
|
In the client, we could look up the name before calling InitializeSecurityContext, but I'm not sure what the security implications of doing that are. | ||||||
| Comment by David McLennan [ 08/May/14 ] | ||||||
|
Additional SPN data; C:\Apps\MongoDB\2.6.1\bin>setspn -l cn (sysmngdwps is the operating system account the MongoDB instance is running under). |