I am trying to understand how mongodb works with kerberos. To do that I have configured a kerberos server, just only for local. This is the configuration of my realm:
this is the content of krb5.conf file:
[libdefaults]
default_realm = LOCALHOST
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
LOCALHOST = {
kdc = localhost
admin_server = localhost
}
[login]
krb4_convert = true
krb4_get_tickets = false
And this is the content of kdc.conf file:
[kdcdefaults]
kdc_ports = 750,88
[realms]
LOCALHOST = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
The kerberos seems to work fine. I created some principals (two users for test, one user for admin and one for the mongo server) and I tested that I can create tickets for each of them with kinit. This is the list of the principals:
ardi/admin@LOCALHOST
mongodb/localhost@LOCALHOST
testUser@LOCALHOST
testUser2@LOCALHOST
The problem comes when I trying to start the mongodb service with the GSSAPI mechanism. The service never starts and I get this message:
2015-03-10T12:52:12.285+0100 ERROR: Couldn't find mech GSSAPI
2015-03-10T12:52:12.286+0100 SEVERE: Failed global initialization:
BadValue SASL(-4): no mechanism available: Couldn't find mech GSSAPI
Of course, if I remove the authenticationMechanisms parameter, mongodb is started without no problems
Other information that could be useful:
- The value of the krb5_ktname is /home/ardi/test/mongodb.keytab
- The permissions of the keytab file are 777 (I know this is wrong but it is only for test)
- My SO is ubuntu 14.04
- I have this problem with the mongo enterprise versions 2.6.8 and 3.0.0
Does anyone of you have any idea where is the problem?
Thank you in advance for your time
Best Answer
I solved. The problem was that I did not have the library libsasl2-modules-gssapi-mit. Once I installed everything works fine