MongoDB 4.4 Enterprise and Kerberos Authentication

All we need is an easy explanation of the problem, so here it is.

I am trying to setup Kerberos authentication to work with MongoDB Enterprise 4.4.
My OS is Centos 8.
I have configured SELinux as described in

In summary, I have no problem starting the mongod service if I follow the example shown by MongoDB docs (

env KRB5_KTNAME=/data/mongodb/mongodb-svr.keytab \
mongod --tls --port 29000 --dbpath /data/mongodb --setParameter authenticationMechanisms=GSSAPI

(My instance has TLS activated and it’s running using a custom port)

But once trying to start the service using systemctl, it just didn’t want to run.

What I want to achieve is to successfully use systemctl to stop/start the mongod service.

In essence, my /etc/mongod.conf is as follows:

  authorization: enabled
      queryUser: [email protected]
      queryPassword: somepassword
    transportSecurity: tls
  authenticationMechanisms: "PLAIN,SCRAM-SHA-256,MONGODB-X509"

The Setup
What I have for setup:

  1. I’m using Active Directory (Windows Server 2019) and Centos 8.

  2. I have configured the LDAP so it’s accepting TLS/SSL (also have tested that everything works using LDAPAdmin.exe tool from another Windows machine).

  3. No issue running kinit or klist from the MongoDB machine.

  4. I have successfully integrated LDAP authentication with MongoDB before this (using simple option for bind).

  5. I have no issue authenticating to the MongoDB instance as one of domain users using LDAP integration (by configuring the userToDNMapping and authz.queryTemplate parameters).

  6. Custom MongoDB port: tcp/29000

  7. Custom MongoDB data path: /data/mongodb

  8. The CentOS 8 machine has already joined the domain (using realm join).

Configuration So Far
Now, I have tried to do the following for making Kerberos work:

  1. Created a Managed Service Account (svc_mongodb) on AD.

  2. Created the SPN as follows:

setspn -S mongodb/[email protected] svc_mongodb
  1. Created the keytab file using ktpass:
ktpass /out mongodb-svr.keytab /princ mongodb/[email protected] /mapuser svc_mongod /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass somepassword
  1. Put the keytab on /data/mongodb/mongodb-svr.keytab (on the CentOS machine). Also chown and chmod it to mongod user and 400.

  2. Start the mongod service with the command line (this works):

env KRB5_KTNAME=/data/mongodb/mongodb-svr.keytab \
mongod --tls --port 29000 --dbpath /data/mongodb --setParameter authenticationMechanisms=GSSAPI

What Failed
However, when I change the /etc/mongod.conf to this:

  authenticationMechanisms: "GSSAPI,SCRAM-SHA-256,MONGODB-X509"

I got this error:
Unspecified GSS failure. Minor code may provide more information; Minor code 13; Permission denied

Looking at the audit log, I noticed this:

type=AVC msg=audit(1624773960.885:206): avc:  denied  { open } for  pid=2771 comm="mongod" path="/etc/krb5.keytab" dev="dm-0" ino=8388741 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file permissive=0

Okay, that’s expected since I haven’t configured the SELinux file context so that mongod can open it.
But I don’t want to if possible, because I want to use the specific keytab file instead.

What I Have Tried

  1. I tried to follow by editing /etc/sysconfig/mongod on my Centos 8.

  2. I tried to edit the systemctl service file (/usr/lib/systemd/system/mongod.service) to add this line: (afterwards run systemctl daemon-reload).

ExecStartPre=/usr/bin/env KRB5_KTNAME=/data/mongodb/mongodb-svr.keytab
  1. Created a .profile under the mongod’s home directory and export the KRB5_KTNAME variable there.

  2. Created a under the /etc/profile.d directory and export the KRB5_KTNAME variable there.

None of the above worked so far.
So I’m confused as to why (and how exactly can I set this variable).
I really want to avoid having to setfacl -m the /etc/krb5.keytab file, or having to create additional SELinux policy (should be easily done via audit2allow).

If anyone could point my mistakes, that’d be of great help.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

When you run

mongod --tls --port 29000 --dbpath /data/mongodb --setParameter authenticationMechanisms=GSSAPI

then mongod does not read the config file /etc/mongod.conf. I suggest not mixing command-line parameters and configuration file. Put all parameters into your config file /etc/mongod.conf and start your mongod with

mongod -f /etc/mongod.conf

The command line options seem to take precedence, so --setParameter authenticationMechanisms=GSSAPI overwrites your authenticationMechanisms: "GSSAPI,SCRAM-SHA-256,MONGODB-X509" in the /etc/mongod.conf file.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply