Troubleshoot Kerberos AuthenticationKerberos身份验证疑难解答

mongokerberos Validation Tool验证工具

Introduced alongside MongoDB 4.4, the mongokerberos program provides a convenient method to verify your platform's Kerberos configuration for use with MongoDB, and to test that Kerberos authentication from a MongoDB client works as expected.mongokerberos程序与MongoDB 4.4一起推出，它提供了一种方便的方法来验证平台的Kerberos配置，以便与MongoDB一起使用，并测试MongoDB客户端的Kerberos身份验证是否按预期工作。

The mongokerberos tool can help diagnose common configuration issues, and is the recommended place to start when troubleshooting your Kerberos configuration. mongokerberos工具可以帮助诊断常见的配置问题，并且是解决Kerberos配置故障时的建议起点。See the mongokerberos documentation for more information.有关更多信息，请参阅mongokerberos文档。

mongokerberos is available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。

Kerberos Configuration Debugging StrategiesKerberos配置调试策略

If you have difficulty starting or authenticating against mongod or mongos with Kerberos:如果您难以使用Kerberos启动mongod或mongos或进行身份验证：

• Ensure that you are running MongoDB Enterprise, not MongoDB Community Edition. 确保您运行的是MongoDB Enterprise，而不是MongoDB Community Edition。Kerberos authentication is a MongoDB Enterprise feature and will not work with MongoDB Community Edition binaries.Kerberos身份验证是MongoDB Enterprise的一项功能，不能与MongoDB Community Edition二进制文件一起使用。

  To verify that you are using MongoDB Enterprise, pass the --version command line option to the mongod or mongos:要验证您是否使用MongoDB Enterprise，请将--version命令行选项传递给mongod或mongos：

  mongod --version

  In the output from this command, look for the string modules: subscription or modules: enterprise to confirm you are using the MongoDB Enterprise binaries.在该命令的输出中，查找字符串modules:subscription或modules:enterprise，以确认您正在使用MongoDB enterprise二进制文件。

• Ensure that the canonical system hostname of the mongod or mongos instance is a resolvable, fully qualified domain name.

  On Linux, you can verify the system hostname resolution with the hostname -f command at the system prompt.在Linux上，可以在系统提示符下使用hostname -f命令验证系统主机名解析。

• On Linux, ensure that the primary component of the service principal name (SPN) of the SPN is mongodb. If the primary component of the SPN is not mongodb, you must specify the primary component using --setParameter saslServiceName.

• On Linux, ensure that the instance component of the service principal name (SPN) in the keytab file matches the canonical system hostname of the mongod or mongos instance. If the mongod or mongos instance's system hostname is not in the keytab file, authentication will fail with a GSSAPI error acquiring credentials. error message.

  If the hostname of your mongod or mongos instance as returned by hostname -f is not fully qualified, use --setParameter saslHostName to set the instance's fully qualified domain name when starting your mongod or mongos.

• Ensure that each host that runs a mongod or mongos instance has A and PTR DNS records to provide both forward and reverse DNS lookup. The A record should map to the mongod or mongos's FQDN.
• Ensure that clocks on the servers hosting your MongoDB instances and Kerberos infrastructure are within the maximum time skew: 5 minutes by default. Time differences greater than the maximum time skew prevent successful authentication.

Kerberos Trace Logging on LinuxLinux上的Kerberos跟踪日志

MIT Kerberos provides the KRB5_TRACE environment variable for trace logging output. If you are having persistent problems with MIT Kerberos on Linux, you can set KRB5_TRACE when starting your mongod, mongos, or mongosh instances to produce verbose logging.

For example, the following command starts a standalone mongod whose keytab file is at the default /etc/krb5.keytab path and sets KRB5_TRACE to write to /logs/mongodb-kerberos.log:

env KRB5_KTNAME=/etc/krb5.keytab \
    KRB5_TRACE=/logs/mongodb-kerberos.log \
    mongod --dbpath /data/db --logpath /data/db/mongodb.log \
    --auth --setParameter authenticationMechanisms=GSSAPI \
    --bind_ip localhost,<hostname(s)|ip address(es)> --fork

Common Error Messages常见错误消息

In some situations, MongoDB will return error messages from the GSSAPI interface if there is a problem with the Kerberos service. 在某些情况下，如果Kerberos服务出现问题，MongoDB将从GSSAPI接口返回错误消息。Some common error messages are:一些常见的错误消息包括：

GSSAPI error in client while negotiating security context.

This error occurs on the client and reflects insufficient credentials or a malicious attempt to authenticate.此错误发生在客户端上，反映凭据不足或恶意尝试进行身份验证。

If you receive this error, ensure that you are using the correct credentials and the correct fully qualified domain name when connecting to the host.如果收到此错误，请确保在连接到主机时使用正确的凭据和正确的完全限定域名。

GSSAPI error acquiring credentials.

This error occurs during the start of the mongod or mongos and reflects improper configuration of the system hostname or a missing or incorrectly configured keytab file.