Details
-
Improvement
-
Resolution: Unresolved
-
Major - P3
-
None
-
2.4.0-rc0
-
mongod 2.4.0-rc0
-
Server Security
Description
The following error message does point to the keytab being the issue for failure to start, however, the solution is not guaranteed to be modifying the keytab file.
# hostname -f
|
localhost.localdomain
|
|
|
[root@kserver1a ~]# more /etc/hosts
|
127.0.0.1 localhost.localdomain localhost kserver1a.realm5.10gen.me kserver1a
|
::1 localhost6.localdomain6 localhost6kserver1a.realm5.10gen.me kserver1a
|
10.0.5.100 ns.realm5.10gen.me
|
10.0.5.110 kserver1a.realm5.10gen.me
|
|
|
[root@kserver1a ~]# env KRB5_KTNAME=/etc/kserver1a.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal
|
Failed global initialization: BadValue Unsupported authenticationMechanism: "GSSAPI": GSSAPI error acquiring credentials in gss_acquire_cred() in SASL library. This is most likely due to not having the proper Kerberos key available in /etc/krb5.keytab on the server.
|
|
|
|
|
# more /etc/hosts
|
127.0.0.1 localhost.localdomain localhost
|
::1 localhost6.localdomain6 localhost6
|
10.0.5.100 ns.realm5.10gen.me
|
|
|
[root@kserver1a ~]# hostname -f
|
kserver1a.realm5.10gen.me
|
|
|
[root@kserver1a ~]# !ps
|
psm
|
root 1570 1.0 1.9 542588 32624 ? Sl 05:54 0:00 /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal
|
We should point the end-user towards troubleshooting DNS on the mongod server. For example, does hostname -f return correct hostname that was used to create the keytab on the KDC.