[SERVER-20387] Broken kerberos implementation in mongodump & mongorestore Created: 27/Aug/15  Updated: 10/Sep/18  Resolved: 10/Sep/18

Status: Closed
Project: Core Server
Component/s: Security, Tools
Affects Version/s: 2.6.10
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Luke Prochazka Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows


Issue Links:
Related
related to TOOLS-1278 Backport to v3.0 Closed
related to TOOLS-889 Enabling kerberos auth options crashe... Closed
is related to TOOLS-889 Enabling kerberos auth options crashe... Closed
Operating System: Windows
Participants:

 Description   

The mongodump & mongorestore tools do not completely support kerberos auth. For example, when running with the following syntax which omits the password field:

.\mongodump -u "user@DOMAIN.LOCAL" --authenticationDatabase '$external' --authenticationMechanism GSSAPI

This fails with the following error:

assertion: 17 SASL(-1): generic failure: SSPI: InitializeSecurityContext: The logon attempt failed

If the same command is run with the -p password parameter, the tools auths successfully.

This indicates that the underlying kerberos configuration is functional, but the tools is unable to leverage the existing kerberos ticket for auth purposes.



 Comments   
Comment by Sara Williamson [ 10/Sep/18 ]

The tools described in this ticket no longer exist and have been replaced by a new implementation. 

Comment by Gabriel Russell (Inactive) [ 10/Sep/15 ]

Which version of mongodump is this?

Generated at Thu Feb 08 03:54:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.