debugMinor
MongoDB Fails to get TGT
Viewed 0 times
tgtmongodbfailsget
Problem
I've setup MongoDB enterprise on CentOS 7 with Kerberos support. Additionally I've setup a Kerberos service on CentOS 7 for the authentication. I know that Kerberos is setup correctly as I now have multiple CentOS 7 clients SSH authenticating against kerberos. When I start MongoDB with Kerberos, I get the following error in the MongoDB Enterprise logs.
I've also verified that a ticket has been generated via kinit
I then verified the principals exist on both client and server
What is preventing mongo to see and use this principal? I've verified my DNS is working correctly and all other Kerberos functionality seems to be working as expected. I'm unbelievably stumped with something that seems like it should be a simple fix.
2016-04-05T16:30:50.515-0500 F CONTROL [main] Failed global initialization:
UnknownError: gssapi could not acquire server credential for
mongodb/mongodb.centos7.vm@CENTOS7.VM; Major code 851968; Unspecified GSS failure.
Minor code may provide more information; Minor code 39756033; No key table entry
found for mongodb/mongodb.centos7.vm@CENTOS7.VM;I've also verified that a ticket has been generated via kinit
[root@mongodb mongodb]# kinit mongodb/mongodb.centos7.vm@CENTOS7.VM
Password for mongodb/mongodb.centos7.vm@CENTOS7.VM:
[root@mongodb mongodb]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mongodb/mongodb.centos7.vm@CENTOS7.VM
Valid starting Expires Service principal
05/04/16 17:17:11 06/04/16 03:17:11 krbtgt/CENTOS7.VM@CENTOS7.VM
renew until 06/04/16 17:17:09I then verified the principals exist on both client and server
[root@mongodb mongodb]# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/admin@CENTOS7.VM:
kadmin: listprincs
K/M@CENTOS7.VM
...other principals
mongodb/mongo.centos7.vm@CENTOS7.VM
mongodb/mongodb.centos7.vm@CENTOS7.VM
root/admin@CENTOS7.VMWhat is preventing mongo to see and use this principal? I've verified my DNS is working correctly and all other Kerberos functionality seems to be working as expected. I'm unbelievably stumped with something that seems like it should be a simple fix.
Solution
I think that you missed one step. You should add an entry into the keytab file for your principal mongodb/mongodb.centos7.vm@CENTOS7.VM
Suppose that the path for your keytab file is /etc/krb5.keytab. Now run $ktutil
Now you can run
and the new entry should appear on the output.
Now, I think you can start mongod service.
Suppose that the path for your keytab file is /etc/krb5.keytab. Now run $ktutil
ktutil: add_entry -password -p mongodb/mongodb.centos7.vm@CENTOS7.VM -k 1 -e des-cbc-md4
ktuitl: wkt /etc/krb5.keytab
ktuitl: quitNow you can run
$klist -k /etc/krb5.keytaband the new entry should appear on the output.
Now, I think you can start mongod service.
Code Snippets
ktutil: add_entry -password -p mongodb/mongodb.centos7.vm@CENTOS7.VM -k 1 -e des-cbc-md4
ktuitl: wkt /etc/krb5.keytab
ktuitl: quitContext
StackExchange Database Administrators Q#134545, answer score: 2
Revisions (0)
No revisions yet.