[SERVER-57184] mongokerberos --client --username does not accept valid UPN Created: 25/May/21  Updated: 23/Aug/23

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Raymond Hu Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:

 Description   

Problem Description

mongokerberos --client --username does not accept full UPN

Steps to Reproduce

The following code where executed on MacOS 11.3.1

User initialised via

kinit -kt ~/Downloads/muser.keytab muser@KRB5.MONGODB-FIELD.COM

confirmed creation of TGT

klist
Credentials cache: API:48287722-1FB8-4CF6-8B47-DD1CD8EBE907
        Principal: muser@KRB5.MONGODB-FIELD.COM
 
  Issued                Expires               Principal
May 25 11:22:33 2021  May 25 21:22:33 2021  krbtgt/KRB5.MONGODB-FIELD.COM@KRB5.MONGODB-FIELD.COM

Run the following

mongokerberos --client --username muser@KRB5.MONGODB-FIELD.COM --gssapiHostName mdbsvc.krb5.mongodb-field.com

Expected Results

Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.
 
Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
Performing reverse DNS lookup of the following FQDNs:
	* mdbsvc.krb5.mongodb-field.com
[OK] DNS test successful.
 
Getting MIT Kerberos KRB5 environment variables...
	* KRB5CCNAME: not set.
	* KRB5_CLIENT_KTNAME: not set.
	* KRB5_CONFIG: not set.
	* KRB5_KTNAME: not set.
	* KRB5_TRACE: not set.
[OK]
 
Verifying existence of KRB5 client keytab <keytab doesn't exist>...
[OK] Kerberos does not understand client keytabs, and user has not specified one.
 
Checking principal(s) in KRB5 keytab...
[OK] KRB5 keytab is valid.
 
Fetching KRB5 Config...
KRB5 config profile resolved as:
[OK] KRB5 config profile resolved without errors.
 
Attempting client half of GSSAPI conversation...
[OK] Client half of GSSAPI conversation completed successfully.

Actual Results

Resolving kerberos environment...
[OK] Kerberos environment resolved without errors.
 
Verifying forward and reverse DNS resolution works with Kerberos service at mdbsvc.krb5.mongodb-field.com...
Performing reverse DNS lookup of the following FQDNs:
	* mdbsvc.krb5.mongodb-field.com
[OK] DNS test successful.
 
Getting MIT Kerberos KRB5 environment variables...
	* KRB5CCNAME: not set.
	* KRB5_CLIENT_KTNAME: not set.
	* KRB5_CONFIG: not set.
	* KRB5_KTNAME: not set.
	* KRB5_TRACE: not set.
[OK]
 
Verifying existence of KRB5 client keytab <keytab doesn't exist>...
[OK] Kerberos does not understand client keytabs, and user has not specified one.
 
Checking principal(s) in KRB5 keytab...
[FAIL] Neither client keytab nor credentials cache contains entry with user principal name for specified --user muser@KRB5.MONGODB-FIELD.COM.

Additional Notes

However, the following command produces the output in "Expected Results" (omitting "@KRB5.MONGODB-FIELD.COM" from the UPN)

mongokerberos --client -u muser --gssapiHostName mdbsvc.krb5.mongodb-field.com


Generated at Thu Feb 08 05:41:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.