I'm not much aware of kerberos.Kerberos server is running on an ec2 instance,on another ec2 instance,installed kerberos client and mongodb 6.0.2 enterprise and mongo shell 1.10.6.I created user principal and service principal,exported these principals to keytab files on kerberos server.Copied these keytab files on my kerberos client instance,using kinit,able to start the mongodb service with kerberos auth.Able to connect from mongo shell.Below are the commands used:
sudo kadmin.local -q "add_principal -randkey [email protected]"
sudo kadmin.local -q "xst -kt /tmp/admn.user.keytab [email protected]"
sudo kadmin.local -q "add_principal -randkey mongodb/ip-***[email protected]"
sudo kadmin.local -q "xst -kt /tmp/mongokb.service.keytab mongodb/ip-***[email protected]"
kinit -kt /tmp/admn.user.keytab admn
service running with the below command
env KRB5_KTNAME=/tmp/mongokb.service.keytab mongod --auth --setParameter authenticationMechanisms=GSSAPI --bind_ip_all
shell
mongosh --host ip-**.compute.internal --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username [email protected]
My Java program:
System.setProperty("java.security.krb5.realm","KAFKA.SECURE");
System.setProperty("java.security.krb5.kdc",
"ec2-***.compute.amazonaws.com");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("sun.security.krb5.debug","true");
System.setProperty("java.security.auth.login.config","/tmp/gss-jaas.conf");
System.setProperty("java.security.krb5.conf","/tmp/krb5.conf");
MongoCredential credential = MongoCredential.createGSSAPICredential("[email protected]");
com.mongodb.client.MongoClient mongoClient = MongoClients.create(
MongoClientSettings.builder()
.applyToClusterSettings(builder ->
builder.hosts(Arrays.asList(new ServerAddress("ip-***", 27017))))
.credential(credential)
.build());
MongoDatabase db=mongoClient.getDatabase("admin");
System.out.print("Db Name:"+db.getName());
final Bson ping = new BasicDBObject("dbstats", 1);
db.runCommand(ping);
krb5.conf file
includedir D:/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7d
default_realm = KAFKA.SECURE
kdc_timesync = 1
[realms]
KAFKA.SECURE = {
admin_server = ec2-**.compute.amazonaws.com
kdc = ec2-**.compute.amazonaws.com
}
gss-jass.conf
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="mongodb/ip-***[email protected]"
doNotPrompt=true
storeKey=true
keyTab="D:/mongokb.service.keytab"
debug=true;};
I'm getting error as
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
Log file
Debug is true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is D:/mongokb.service.keytab refreshKrb5Config is false principal is mongodb/ip-**[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: mongodb/ip-**[email protected]
Found unsupported keytype (25) for mongodb/ip-**[email protected]
Found unsupported keytype (26) for mongodb/ip-**[email protected]
Added key: 23version: 3
Added key: 17version: 3
Added key: 18version: 3
Looking for keys for: mongodb/ip-***[email protected]
Found unsupported keytype (25) for mongodb/ip-**[email protected]
Found unsupported keytype (26) for mongodb/ip-**[email protected]
Added key: 23version: 3
Added key: 17version: 3
Added key: 18version: 3
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=ec2-**.compute.amazonaws.com UDP:88, timeout=30000, number of retries =3, #bytes=208
>>> KDCCommunication: kdc=ec2-**.amazonaws.com UDP:88, timeout=30000,Attempt =1, #bytes=208
>>> KrbKdcReq send: #bytes read=840
>>> KdcAccessibility: remove ec2-***.compute.amazonaws.com
Looking for keys for: mongodb/ip-***[email protected]
Found unsupported keytype (25) for mongodb/ip-**[email protected]
Found unsupported keytype (26) for mongodb/ip-**[email protected]
Added key: 23version: 3
Added key: 17version: 3
Added key: 18version: 3
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply mongodb/ip-***.compute.internal
principal is mongodb/ip-**[email protected]
Will use keytab
Commit Succeeded
Found ticket for mongodb/ip-**[email protected] to go to krbtgt/[email protected] expiring on Thu Nov 09 16:05:19 IST 2023
If I add an entry of service principal to admn.user.keytab file as below:
add_entry -password -p mongodb/ip**.ap-south-1.compute.internal -k 3 -e aes256-cts-hmac-sha1-96
wkt /tmp/admn.user.keytab
And,if I give in gass.jass conf file keytab as /tmp/admn.user.keytab.I get below exception:
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
can anyone please help what is the keytab file to be used to connect to mongodb service running with kerberos auth?