MongoDB – Fixing ‘Couldn’t Find Mech GSSAPI’ Error on Linux

kerberoslinuxmongodb

I am trying to understand how mongodb works with kerberos. To do that I have configured a kerberos server, just only for local. This is the configuration of my realm:

this is the content of krb5.conf file:

[libdefaults]
    default_realm = LOCALHOST

# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true


v4_instance_resolve = false
v4_name_convert = {
        host = {
                rcmd = host
                ftp = ftp
        }
        plain = {
                something = something-else
        }
}
fcc-mit-ticketflags = true

[realms]
    LOCALHOST = {
        kdc = localhost
        admin_server = localhost
}
[login]
    krb4_convert = true
    krb4_get_tickets = false

And this is the content of kdc.conf file:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    LOCALHOST = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }

The kerberos seems to work fine. I created some principals (two users for test, one user for admin and one for the mongo server) and I tested that I can create tickets for each of them with kinit. This is the list of the principals:

ardi/admin@LOCALHOST
mongodb/localhost@LOCALHOST
testUser@LOCALHOST
testUser2@LOCALHOST

The problem comes when I trying to start the mongodb service with the GSSAPI mechanism. The service never starts and I get this message:

2015-03-10T12:52:12.285+0100 ERROR: Couldn't find mech GSSAPI

2015-03-10T12:52:12.286+0100 SEVERE: Failed global initialization:
BadValue SASL(-4): no mechanism available: Couldn't find mech GSSAPI

Of course, if I remove the authenticationMechanisms parameter, mongodb is started without no problems

Other information that could be useful:

  • The value of the krb5_ktname is /home/ardi/test/mongodb.keytab
  • The permissions of the keytab file are 777 (I know this is wrong but it is only for test)
  • My SO is ubuntu 14.04
  • I have this problem with the mongo enterprise versions 2.6.8 and 3.0.0

Does anyone of you have any idea where is the problem?

Thank you in advance for your time

Best Answer

I solved. The problem was that I did not have the library libsasl2-modules-gssapi-mit. Once I installed everything works fine

Related Question