Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8452

Improve GSSAPI error message when mongod fails to start with Kerberos enabled

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major - P3 Major - P3
    • None
    • 2.4.0-rc0
    • Security
    • mongod 2.4.0-rc0
    • Server Security

    Description

      The following error message does point to the keytab being the issue for failure to start, however, the solution is not guaranteed to be modifying the keytab file.

      # hostname -f
      localhost.localdomain
       
      [root@kserver1a ~]# more /etc/hosts
      127.0.0.1		localhost.localdomain localhost kserver1a.realm5.10gen.me kserver1a
      ::1		localhost6.localdomain6 localhost6kserver1a.realm5.10gen.me kserver1a
      10.0.5.100	ns.realm5.10gen.me
      10.0.5.110	kserver1a.realm5.10gen.me
       
      [root@kserver1a ~]# env KRB5_KTNAME=/etc/kserver1a.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal
      Failed global initialization: BadValue Unsupported authenticationMechanism: "GSSAPI": GSSAPI error acquiring credentials in gss_acquire_cred() in SASL library.  This is most likely due to not having the proper Kerberos key available in /etc/krb5.keytab on the server.
       
       
      # more /etc/hosts
      127.0.0.1		localhost.localdomain localhost
      ::1		localhost6.localdomain6 localhost6
      10.0.5.100	ns.realm5.10gen.me
       
      [root@kserver1a ~]# hostname -f
      kserver1a.realm5.10gen.me
       
      [root@kserver1a ~]# !ps
      psm
      root      1570  1.0  1.9 542588 32624 ?        Sl   05:54   0:00 /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal

      We should point the end-user towards troubleshooting DNS on the mongod server. For example, does hostname -f return correct hostname that was used to create the keytab on the KDC.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            mark Mark porter
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated: