-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: 2.4.0-rc0
-
Component/s: Security
-
Environment:mongod 2.4.0-rc0
-
Server Security
The following error message does point to the keytab being the issue for failure to start, however, the solution is not guaranteed to be modifying the keytab file.
# hostname -f localhost.localdomain [root@kserver1a ~]# more /etc/hosts 127.0.0.1 localhost.localdomain localhost kserver1a.realm5.10gen.me kserver1a ::1 localhost6.localdomain6 localhost6kserver1a.realm5.10gen.me kserver1a 10.0.5.100 ns.realm5.10gen.me 10.0.5.110 kserver1a.realm5.10gen.me [root@kserver1a ~]# env KRB5_KTNAME=/etc/kserver1a.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal Failed global initialization: BadValue Unsupported authenticationMechanism: "GSSAPI": GSSAPI error acquiring credentials in gss_acquire_cred() in SASL library. This is most likely due to not having the proper Kerberos key available in /etc/krb5.keytab on the server. # more /etc/hosts 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 10.0.5.100 ns.realm5.10gen.me [root@kserver1a ~]# hostname -f kserver1a.realm5.10gen.me [root@kserver1a ~]# !ps psm root 1570 1.0 1.9 542588 32624 ? Sl 05:54 0:00 /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal
We should point the end-user towards troubleshooting DNS on the mongod server. For example, does hostname -f return correct hostname that was used to create the keytab on the KDC.