mongodbdockerkerberos

No credentials were supplied, or the credentials were unavailable or inaccessible: No Kerberos credentials available

I have applied kerberos authentication on MongoDB linux server. Now I want to use the mongodb connection in NodeJS application. So I'm using it with the connection string. It's working fine in windows local.
When I run it in docker container then it gives below errors:

**No credentials were supplied, or the credentials were unavailable or inaccessible: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0)
**
Dockerfile:

FROM node:yxchia01/node-kerberos:18.20.4-alpine
WORKDIR /app
COPY ./package.json ./
RUN apk add --no-cache --virtual build-dependencies make gcc g++ python3 && \
  apk add --no-cache krb5-dev 

ENV PYTHON /usr/bin/python3

RUN npm install --force
COPY ./ ./
#Copying keytab and krb5 file
COPY ./krb5.conf /etc/krb5.conf
COPY ./keytab.keytab /etc/keytab.keytab

RUN chmod 777 /etc/keytab.keytab
RUN chmod 777 /etc/krb5.conf

# Setting environment variables for Kerberos
ENV KRB5_CONFIG=/etc/krb5.conf
ENV KRB5_KTNAME=/etc/keytab.keytab

CMD ["npm", "run", "dockerStart"]

I tried by copying keytab file and giving required permissions also. Used connection string:

mongodb://user_name@server_with_domain_name:27017/db_name?authMechanism=GSSAPI&authSource=$external

Solution

  • Do not copy the same keytab file for both client and server. The client should have a completely separate Kerberos principal (AD account without a SPN) and accordingly a separate keytab for that account. (Also, don't chmod it to 0777. Why would you need to do that?)

    For the client side, use KRB5_CLIENT_KTNAME instead of KRB5_KTNAME. The latter only specifies the keytab for 'acceptor' (server-side) use, but if you want Krb5 to automatically use a keytab to obtain tickets as client (initiator), you instead need to specify the _CLIENT_ keytab.

    You can also specify the client keytab via krb5.conf as default_client_keytab_name, or just place it under /var/lib/krb5/user/%{euid}/client.keytab which is the default default.

    (Client keytab is a relatively recent feature in MIT Krb5 v1.11. It should be already supported in your Docker base image, but in the past, it used to be necessary to "manually" obtain tickets and keep them refreshed using kstart or kinit – and it would still be necessary to do that for programs that use go-krb5 or other implementations.)