[SERVER-50633] Address use of client keytab by mongokerberos in --server mode Created: 28/Aug/20 Updated: 29/Oct/23 Resolved: 23/Oct/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Adam Cooper (Inactive) | Assignee: | Adam Cooper (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Steps To Reproduce: | Run the tool in server mode without setting the KRB5_CLIENT_KTNAME environment variable. One should not expect this variable to be used while in server mode, but the tool will throw an error that says it can't find the desired service principle in the client keytab. This would be very confusing to a user. |
||||
| Sprint: | Security 2020-09-21, Security 2020-10-05, Security 2020-10-19, Security 2020-11-02 | ||||
| Participants: | |||||
| Description |
|
mongokerberos makes some incorrect assumptions about how gss_acquire_creds is used. It will only use the client keytab. We sort of "trick" it by asking it to acquire a service credential even though that function is intended for use only by clients. We account for this in our JSTest by overriding the KRB5_CLIENT_KTNAME environment variable with the service's keytab, which works. We should consider three things when fixing this bug: |
| Comments |
| Comment by Githook User [ 23/Oct/20 ] |
|
Author: {'name': 'Adam Cooper', 'email': 'adam.cooper@mongodb'}Message: |