Hi Pedro.

I'm glad the connections are going ok now.

Given that you confirmed the client (pbm-agent) did come from the IP address 127.0.0.1 (as is normal) then I can't think of something else to investigate. Except very broadly like version differences (I was testing on v4.2) and that's becoming distant from PBM itself.

> Thank you also for the tip regarding the user to be used for pbm CLI.

No worries. My pleasure.

Hi Akira,

I recreated the user (including the authenticationRestrictions) and it worked. I don't have a reasonable explanation for this: the difference was that this time I didn't copy paste the user creation from documentation and add it manually. I also confirm the user was created against admin database.

this is how user looks like currently:

Answering your question, I did the test previously and the logged failed authentication had 127.0.0.1 IP.

Thank you also for the tip regarding the user to be used for pbm CLI.

Ahah! My faith in MongoDB driver specifications has been rewarded.

So the extra authenticationRestrictions : [{clientSource: ["127.0.0.1"]}] was the reason. But the pbm-agent should be running on the same host to the mongod node it is attached to. There can be alternatives to using 127.0.0.1 as the localhost IP address, but that's rare in my experience.

If you look in the mongod log file and grep for NETWORK or ACCESS lines that have the substring "pbmAgent" in them can you tell what IP address it was, if it wasn't 127.0.0.1? They will be like below.

I'm just asking for curiosity. If you're happy with the workaround of removing the clientSource IP address restriction you're good to go.

Note for other readers who might find this ticket later: the pbm CLI can't share the same user if the user has this connecting IP address restriction. The pbm CLI will be connecting to a replicaset (as opposed to the pbm-agent processes that only connect their local mongod in standalone fashion), and maybe the primary isn't on the localhost.

hi Akira,

Thank you for your update and detailed information, really appreciate! I just found out that the issue was with my pbm user creation, specifically with the option that documentation recommends: authenticationRestrictions : [{clientSource: ["127.0.0.1"]}]. Without this option, the pbm agent is capable to authenticate without issues.

without authenticationRestrictions:

with authenticationRestrictions:

Hi .

Ah, I see, our documentation still said "If you MongoDB Authentication is enabled you specify --mongodb-user and .... etc." in one line in https://www.percona.com/doc/percona-backup-mongodb/running.html#running-pbm-agent. Sorry about that - we'll fix it. The intention is to only use the MongoDB connection string URI format from here.

Using the mongo shell to check the very same connection string was the right debug method. Strange that is still failing. pbm-agent (and the pbm CLI) both use the regular, official driver, just as the mongo shell does. Well, mongo shell uses the C++ driver, pbm uses the golang driver, but they absolutely should be following the same conventions as MongoDB have been diligent on that in my experience.

One idea: If the password is not "secretPassw0rd" as shown above but rather one with punctuation characters in your password (i.e. "/", ":", "@", or "%") that can trip up URI parsing. In that case encode those chars with percent encoding. E.g. "myPassw@rd" -> "myPassw%40rd". Or change the password to not use those punctuation characters.

I've been testing various connection strings to somehow see if I could catch an error, but I have been unable to reproduce.

Could you please confirm what version of the mongodb server you are using? I'm wondering if it < v3.4 for example.