Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-3318

Java driver does not canonicalize server name for Kerberos automatically

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Done
    • Icon: Critical - P2 Critical - P2
    • None
    • None
    • ecosystem

    Description

      According to javadocs:

      /*
            Creates a MongoCredential instance for the GSSAPI SASL mechanism.  To override the default service name of {@code "mongodb"},
           * add a mechanism property with the name {@code "SERVICE_NAME"}. To force canonicalization of the host name prior to authentication,
           * add a mechanism property with the name {@code "CANONICALIZE_HOST_NAME"} with the value{@code true}.
           
            @param userName the user name
           * @return the credential
           * @see #withMechanismProperty(String, Object)
           
            @mongodb.server.release 2.4
           */
      

      We should outline this in docs, as it's a great source of confusion on the client side. If the Kerberos service principal is using canonicalized instance name, and Java driver uses IP, then without the CANONICALIZE_HOST_NAME property you will be getting "Server not found in Kerberos database (7) - UNKNOWN_SERVER" exception from GSS.

      Attachments

        Activity

          People

            michael.paik Michael Paik
            alex.komyagin@mongodb.com Alexander Komyagin
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              7 years, 29 weeks ago