BugZero | MongoDB BugID 2129566 - "Attempt to switch user during SASL authentication...

MongoDB - Defect ID: 2129566

"Attempt to switch user during SASL authentication" error when cluster is configured for x509 membership auth

MongoDB - Defect ID: 2129566

"Attempt to switch user during SASL authentication" error when cluster is configured for x509 membership auth

Last updated on July 10th, 2023

BugZero Risk Score
6.0 Medium

Overall: 6.0

Severity: 6.4

Community: 5.5

Lifecycle: 9.1

What is the BugZero Risk Score?

MongoDB Integration

Learn more about where this data comes from

MongoDB Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Priority: Major - P3
Status: Closed

Description

Info

I'm able to easily reproduce the issue from SERVER-58591 on v6.0: {"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I", "c":"ACCESS", "id":5286202, "ctx":"conn24","msg":"Different user name was supplied to saslSupportedMechs","attr":{"error":{"code":17,"codeName":"ProtocolError","errmsg":"Attempt to switch database target during SASL authentication from __system@local to @$external"}}} {"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I", "c":"ACCESS", "id":20429, "ctx":"conn24","msg":"Successfully authenticated","attr":{"client":"127.0.0.1:34638","mechanism":"MONGODB-X509","user":"CN=*.domain.net,OU=mongodb,O=MongoDB,L=Sydney,ST=NSW,C=AU","db":"$external"}} I don't think there is anything wrong with the config as user connections are not required for the issue to manifest. This looks to be a benign issue as I don't see any functional problems with how the cluster is operating. But the fact that it is raised as an error is concerning the users.

Top User Comments

spencer.jackson@10gen.com commented on Tue, 25 Oct 2022 16:41:06 +0000: I just did some digging into SERVER-70242 and realized that these are probably the same issue. I'm going to close this ticket in favor of SERVER-70242, because that ticket has root cause and potential mitigations in its description.

Steps to Reproduce

1. Create cluster mlaunch init --replicaset --nodes 1 --sharded 1 --config 1 --csrs --tlsCAFile CA.pem --tlsMode preferTLS --tlsCertificateKeyFile server.pem --bind_ip_all --clusterAuthMode x509 --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1 2. Connect: mongo --tls --tlsCertificateKeyFile server.pem --tlsCAFile CA.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external' 3. In my case mlaunch is failing to add shard. So need to run the following manually: sh.addShard("shard01/localhost:27018") 4. In the log of the shard process observe the error as in the description. User connections are not required

Change history

2025-03-21 Added: 5.0.8, 6.0.0

Links

Relevant Products

Click on a version to see all relevant bugs

Affected versions:5.0.8, 6.0.0

Fixed versions: No known fixed versions

Relevant Products

Click on a version to see all relevant bugs

Affected versions:5.0.8, 6.0.0

Fixed versions: No known fixed versions

Top MongoDB Defects by Risk Score

5.9Defect ID: 2956672
Some time-series tests implicitly rely on measurement insertion order for unordered inserts when checking bucket catalog stats
6.14Defect ID: 2965528
Remove push, publish_packages, and crypt_push tasks from Graviton 4 variants in v7.0 and v8.0
6.14Defect ID: 2947969
[SBE] Release storage engine resources when saveState() or restoreState() throws
5.68Defect ID: 2919474
StackLocator broken by v5 toolchain ASAN
5.88Defect ID: 2968769
Make new write path helper functions use acquireAndValidateBucketsCollection instead of acquireCollection

MongoDB Integration

Learn more about where this data comes from

MongoDB Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

MongoDB - Defect ID: 2129566

"Attempt to switch user during SASL authentication" error when cluster is configured for x509 membership auth

MongoDB - Defect ID: 2129566

"Attempt to switch user during SASL authentication" error when cluster is configured for x509 membership auth

Last updated on July 10th, 2023

BugZero Risk Score6.0 Medium

Bug Details

Info

Top User Comments

Steps to Reproduce

Links

Top MongoDB Defects by Risk Score

Ready to prevent the next vendor outage?

BugZero Risk Score
6.0 Medium