[SERVER-50633] Address use of client keytab by mongokerberos in --server mode Created: 28/Aug/20  Updated: 29/Oct/23  Resolved: 23/Oct/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Bug Priority: Major - P3
Reporter: Adam Cooper (Inactive) Assignee: Adam Cooper (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run the tool in server mode without setting the KRB5_CLIENT_KTNAME environment variable. One should not expect this variable to be used while in server mode, but the tool will throw an error that says it can't find the desired service principle in the client keytab. This would be very confusing to a user.

Sprint: Security 2020-09-21, Security 2020-10-05, Security 2020-10-19, Security 2020-11-02
Participants:

 Description   

mongokerberos makes some incorrect assumptions about how gss_acquire_creds is used. It will only use the client keytab. We sort of "trick" it by asking it to acquire a service credential even though that function is intended for use only by clients. We account for this in our JSTest by overriding the KRB5_CLIENT_KTNAME environment variable with the service's keytab, which works.

We should consider three things when fixing this bug:
1. Is manually overriding (setenv) the KRB5_CLIENT_KTNAME variable a good solution within the tool? The tool does not otherwise need to use this variable.
2. What should we do about older releases of Kerberos that do not support client keytabs?
3. What should we do, if anything, about potential warning/error messages from GSSAPI about client keytabs that may confuse users?



 Comments   
Comment by Githook User [ 23/Oct/20 ]

Author:

{'name': 'Adam Cooper', 'email': 'adam.cooper@mongodb'}

Message: SERVER-50633 Address use of client keytab by mongokerberos in --server mode
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/c00f667d618314119afa7de6e9ab5342202b10a4

Generated at Thu Feb 08 05:23:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.