Show/Hide Toolbars

MongoDB Notes

Navigation: MongoDB Authentication

Authentication with Kerberos

Scroll Prev Top Next More

Mongo Authentication - Replica Set

Client Authentication


Internal Authentication


Operating System



In this procedure, you will configure a replica set using Kerberos for client authentication and keyfile for internal authentication.  In this example, three members are created for the replica set.  To avoid excessive duplication, the configuration files for only the first member are shown.  For the second and third member, make the appropriate changes to the port and paths in the configuration file.




You have installed the MIT Kerberos server on its own host computer.

You have installed the Kerberos client software on the computers where you will be running mongod.

You have created a service principal and keytab for each instance of mongod.

The keytab is locate in directory /etc.

You have created a user principal for user user1.

You have created a keyfile and placed it in directory /home/vagrant.

The replica set has been configured and a user with root role has been added.


Procedure (Ubuntu)


1.Create three mongod configuration files, one for each member of the replica set.  (See example below.)

2.In a terminal window, create the environmental variable KRB5_KTNAME.



export KRB5_KTNAME


3.Start each member of the replica set with a command similar to this, where initX.yaml is the name of the initial configuration file for the relevant member of the replica set.  Authentication is not enabled.


mongod -f init1.yaml

mongod -f init2.yaml

mongod -f init3.yaml


4.Log into the first MongoDB member with this command:


mongo --port 31210 --host 

Note: be sure to use the --host parameter and the fully qualified domain name of the mongod server which you are accessing.


5.Create one or more users in the $external database.  Be sure at least one of these users has permissions to create other users.


use $external

var user = {user: "user1@WAYSYSWEB.US.COM", roles: [{role: "userAdminAnyDatabase", db: "admin"}]}



6.Exit the MongoDB shell.

7.Stop all the mongod instances using the killall command in the Ubuntu shell.


killall mongod


8. Restart the mongod members with the addition of the --auth parameter, where aX.yaml is the relevant configuration file with Kerberos settings.


mongod -f a1.yaml --auth

mongod -f a2.yaml --auth

mongod -f a3.yaml --auth


9. Obtain a ticket-granting ticket from Kerberos for your user, for example user1.  The command will prompt you for the password for user1.  Enter this password.


 kinit user1@WAYSYSWEB.US.COM


11. Log into the primary member of the replica set with the MongoDB shell:


mongo --port 31210 --host 


12. In the MongoDB shell, authenticate with this command:


use $external

db.auth({mechanism: "GSSAPI", user: "user1@WAYSYSWEB.US.COM"})


Example mongod Configuration File with Kerberos Settings


Below is an example of a mongod configuration file indicating that authentication will use Kerberos.  Note that the parameter authenticationMechanisms is set to GSSAPI.  Also the clusterAuthMode and keyFile settings have been added in.



  destination: file

  path:  /home/vagrant/data/r0/mongodb.log


  dbPath: /home/vagrant/data/r0 


  fork: true


  clusterAuthMode: keyFile

  keyFile: /home/vagrant/mk



  port: 31210


   replSetName: repl


   authenticationMechanisms: GSSAPI    




If you try to authenticate in the MongoDB shell without selecting the $external database, you will receive an error:


Error: Missing expected field "pwd"


If you have not executed the kinit command in Step 10 above to obtain a ticket-granting ticket, and then you attempt to authenticate in the MongoDB shell, you get an error similar to this:


Error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)




Configure MongoDB with Kerberos Authentication on Linux