Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

I am very much new to the MOngoDB + Java Configuration. I am trying to achive the connection from remote mongodb server from Java application. I want to use GSSAPI mechanism for connection with mongotemplate. Below code has been executing successfully. Below code is from my configuration file.

List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
    ServerAddress address = new ServerAddress(host, port);
    serverAddresses.add(address);
    List<MongoCredential> credentials = new ArrayList<MongoCredential>();

    MongoCredential credential = MongoCredential.createGSSAPICredential(userName);

    credential.withMechanismProperty("SERVICE_NAME", gssapiServiceName);
    credential.withMechanismProperty("CANONICALIZE_HOST_NAME", true);
    credentials.add(credential);

    return new MongoClient(serverAddresses, credentials);

But when I am trying execute below code I am getting exception

DB db = mongoTemplate.getDb();
Set<String> dbCollections1 = db.getCollectionNames();

Exception:

GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) at com.mongodb.DBPort$GSSAPIAuthenticator.getGSSCredential(DBPort.java:622) at com.mongodb.DBPort$GSSAPIAuthenticator.createSaslClient(DBPort.java:593) at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:895) at com.mongodb.DBPort.authenticate(DBPort.java:432) at com.mongodb.DBPort.checkAuth(DBPort.java:443) at com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:289) at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:269) at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:84) at com.mongodb.DB.command(DB.java:320) at com.mongodb.DB.command(DB.java:299) at com.mongodb.DB.command(DB.java:388) at com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)

like image 939
Krishna Kumar Chourasiya Avatar asked Nov 20 '15 14:11

Krishna Kumar Chourasiya


3 Answers

Million thanks to all who have responded and take a look to my question.

After adding some System Properties and a new conf file, Finally I am able to get connected with MongoDB server. Herewith the updated code -

try {
        System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf");
        System.setProperty("java.security.krb5.realm","EXAMPLE.COM");
        System.setProperty("java.security.krb5.kdc","example.com");
        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
        System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf");


        List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
        ServerAddress address = new ServerAddress(host, port);
        serverAddresses.add(address);
        List<MongoCredential> credentials = new ArrayList<MongoCredential>();
        MongoCredential credential = MongoCredential.createGSSAPICredential(username);
        credentials.add(credential);
        MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials);
        DB db = mongoClient1.getDB(database);

    } catch (UnknownHostException e) {
        e.printStackTrace();
    }

My krb5.conf file look like below -

[libdefaults]
     default_realm = EXAMPLE.COM
     default_tkt_enctypes = des-cbc-md5 rc4-hmac
     default_tgs_enctypes = des-cbc-md5 rc4-hmac
     default_keytab_name = <keytab file path>
[realms]
EXAMPLE.COM = {
    kdc = example.com
    master_kdc = example.com
    default_domain = EXAMPLE.COM
}
INTRANET = {
    kdc = example.com
    master_kdc = example.com
    default_domain = example.com
}

My gss-jaas.conf look like below -

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;};

Code I have posted is working for me. Hope this will work for others.

like image 110
Krishna Kumar Chourasiya Avatar answered Nov 19 '22 04:11

Krishna Kumar Chourasiya


Adding some information to this post as its extremely useful already.

If the Sasl/createSaslClient is not run within the Subject:doAs method that is retrieved from the LoginContext, the credentials will not be picked up from the krb5.conf file. I.e the GSS code looks at the current thread's security manager for the Subject which is registered via the Subject:doAs method, and then uses the credentials from this subject. This Subject should've been obtained via jaas which in turn would read the correct jaas and krb5.conf credentials, but if you do not run the sasl and saslclient methods inside the Subject:doAs method all this doesn't matter.

You can get around it by setting javax.security.auth.useSubjectCredsOnly=false which means if no credentials can be found, some default names in the jaas file will be searched for see LoginConfigImpl.java#92, one is com.sun.security.jgss.initiate.

e.g

com.sun.security.jgss.initiate{
   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=true
   useTicketCache=true
   useKeyTab=true
   keyTab="mykeytab"
   principal="service/host@REALM";
 };
like image 6
gerritjvv Avatar answered Nov 19 '22 05:11

gerritjvv


I faced the same error "Mechanism level: Failed to find any Kerberos tgt". My problem looks different from yours, but it could be useful to other ones with the same error.

In my case it was caused by an error in writing the principal name in one of my configuration files.

I suggest to check the Jaas LoginManager configuration file (provided with java.security.auth.login.config) and policy files for principals. Typical error is the domain name in lowercase: [email protected] instead of [email protected]

In the case you set/refer to the principal programmatically, you can also check the principal name correctness in your code. Regards

like image 1
Fabiano Tarlao Avatar answered Nov 19 '22 04:11

Fabiano Tarlao