Geek Answers Handbook

GSSException: no valid credentials (mechanism level: could not find any Kerberos tgt)

I have a lot of new things in setting up MOngoDB + Java. I am trying to reach a connection from a remote mongodb server from a Java application. I want to use the GSSAPI mechanism to connect to mongotemplate. The code below has been executed successfully. Below is the code from my configuration file.

List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>(); ServerAddress address = new ServerAddress(host, port); serverAddresses.add(address); List<MongoCredential> credentials = new ArrayList<MongoCredential>(); MongoCredential credential = MongoCredential.createGSSAPICredential(userName); credential.withMechanismProperty("SERVICE_NAME", gssapiServiceName); credential.withMechanismProperty("CANONICALIZE_HOST_NAME", true); credentials.add(credential); return new MongoClient(serverAddresses, credentials);

But when I try to execute the code below, I get an exception

 DB db = mongoTemplate.getDb(); Set<String> dbCollections1 = db.getCollectionNames();

An exception:

GSSException: no valid credentials (mechanism level: could not find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance (Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MmentFment (Krb5MechFactory.java:122) at sun.security.jgss.GSSCredentialImpl.add (GSSCredentialImpl.javarige27) at sun.sedent.jsplrej.plpl.jsssl.sql.specific.java.sql.specific.js (GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential (GSSManagerImpl.java:154) at com.mongodb.DBPort $ GSSAPIAuthenticator.getGSSCredential (DBPort.java:622) on com.mongodbator. createSaslClient (DBPort.java//93) at com.mongodb.DBPort $ SaslAuthenticator.authenticate (DBPort.java:895) at com.mongodb.DBPort.authenticate (DBPort.java:432) at com.mongodb.DBPort.checkAuth (DBPort .java: 443) on com.mongodb.DBTCPConnector.innerCall (DBTCPConnector.java:289) on com.mongodb.DBTCPConnector.call (DBTCPConnector.java:269) on com.mongodb.DBCollectionImpl.find (DBCollectionImpl.java:84) on com.mongodb.DB.command (DB.javahaps20) on com.mongodb.DB.command (DB.java:299) on com.mongodb.DB.command (DB.javahaps88) at com.mongodb. DBApiLayer.getCollectionNames (DBApiLayer.java:152)

+9
java spring spring-mvc spring-security-kerberos mongodb
source share
3 answers

A million thanks to everyone who answered and looked at my question.

After adding some system properties and a new conf file, finally I can connect to the MongoDB server. The updated code is

 try { System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf"); System.setProperty("java.security.krb5.realm","EXAMPLE.COM"); System.setProperty("java.security.krb5.kdc","example.com"); System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf"); List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>(); ServerAddress address = new ServerAddress(host, port); serverAddresses.add(address); List<MongoCredential> credentials = new ArrayList<MongoCredential>(); MongoCredential credential = MongoCredential.createGSSAPICredential(username); credentials.add(credential); MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials); DB db = mongoClient1.getDB(database); } catch (UnknownHostException e) { e.printStackTrace(); }

My krb5.conf file looks below -

 [libdefaults] default_realm = EXAMPLE.COM default_tkt_enctypes = des-cbc-md5 rc4-hmac default_tgs_enctypes = des-cbc-md5 rc4-hmac default_keytab_name = <keytab file path> [realms] EXAMPLE.COM = { kdc = example.com master_kdc = example.com default_domain = EXAMPLE.COM } INTRANET = { kdc = example.com master_kdc = example.com default_domain = example.com }

My gss-jaas.conf looks below -

 com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true useTicketCache=false principal=" my-account@MY _REALM" doNotPrompt=true keyTab="path-to-my-keytab-file" debug=true;};

The code I posted works for me. Hope this works for others.

+9
source share

We add some information to this post, since it is extremely useful already.

If Sasl/createSaslClient not executed in the Subject:doAs that is extracted from LoginContext , the credentials will not be obtained from the krb5.conf file. Those. GSS code looks at the current thread security manager for the Subject, which is registered with the Subject:doAs , and then uses the credentials of this object. This Subject should be obtained through jaas which, in turn, will read the correct jaas and krb5.conf , but if you do not run the sasl and saslclient methods inside the Subject:doAs all this does not matter.

You can get around this by setting javax.security.auth.useSubjectCredsOnly=false which means that if no credentials are found, some default names will be found in the jaas file to see LoginConfigImpl.java # 92 , one of them is com.sun.security.jgss.initiate .

eg

 com.sun.security.jgss.initiate{ com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true useKeyTab=true keyTab="mykeytab" principal="service/ host@REALM "; };
+2
source share

I encountered the same error "Level of mechanism: could not find any Kerberos tgt". My problem is different from yours, but it may be useful to others with the same error.

In my case, this was caused by an error spelling the main name in one of my configuration files.

I suggest checking the Jaas LoginManager configuration file (provided with java.security.auth.login.config) and policy files for managers. A typical mistake is a lower case domain name: gino@authdemo.it instead of gino@AUTHDEMO.IT

In the case when you install / reference the principal programmatically, you can also check the correctness of the participant name in your code. Relationship

+1
source share

More articles:


All Articles