[SERVER-8452] Improve GSSAPI error message when mongod fails to start with Kerberos enabled Created: 06/Feb/13  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc0
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Mark porter Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 1
Labels: kerberos, platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

mongod 2.4.0-rc0


Issue Links:
Depends
Assigned Teams:
Server Security
Participants:

 Description   

The following error message does point to the keytab being the issue for failure to start, however, the solution is not guaranteed to be modifying the keytab file.

# hostname -f
localhost.localdomain
 
[root@kserver1a ~]# more /etc/hosts
127.0.0.1		localhost.localdomain localhost kserver1a.realm5.10gen.me kserver1a
::1		localhost6.localdomain6 localhost6kserver1a.realm5.10gen.me kserver1a
10.0.5.100	ns.realm5.10gen.me
10.0.5.110	kserver1a.realm5.10gen.me
 
[root@kserver1a ~]# env KRB5_KTNAME=/etc/kserver1a.keytab /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal
Failed global initialization: BadValue Unsupported authenticationMechanism: "GSSAPI": GSSAPI error acquiring credentials in gss_acquire_cred() in SASL library.  This is most likely due to not having the proper Kerberos key available in /etc/krb5.keytab on the server.
 
 
# more /etc/hosts
127.0.0.1		localhost.localdomain localhost
::1		localhost6.localdomain6 localhost6
10.0.5.100	ns.realm5.10gen.me
 
[root@kserver1a ~]# hostname -f
kserver1a.realm5.10gen.me
 
[root@kserver1a ~]# !ps
psm
root      1570  1.0  1.9 542588 32624 ?        Sl   05:54   0:00 /usr/local/bin/mongodb/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --fork --logpath /var/tmp/mongod_auth.log --smallfiles --nojournal

We should point the end-user towards troubleshooting DNS on the mongod server. For example, does hostname -f return correct hostname that was used to create the keytab on the KDC.



 Comments   
Comment by Daniel Pasette (Inactive) [ 16/May/13 ]

Less info now. Possible to fix on our side?

Comment by Michael Grundy [ 07/May/13 ]

Here's an example where I didn't specify the key tab properly:

env KRB5_TRACE=/var/tmp/krb5.log  KRB5_KTNAME=/etc/mongod.keytab ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongod --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --smallfiles --nojournal

The error message:

Failed global initialization: UnknownError gssapi could not acquire server credential for mongodb/mongod1@; Major code 851968; Unspecified GSS failure.  Minor code may provide more information; Minor code 100008; (no data);

Comment by Andy Schwerin [ 07/May/13 ]

michael.grundy@10gen.com, how does the error message look after the Cyrus port?

Generated at Thu Feb 08 03:17:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.