GSSAPI Authentication failing on LINUX RHEL7 with .NET Core 2.1

Girish_Nair · February 20, 2021, 11:15pm

I am currently running a dockerized c# .NET Core 2.1 application on Linux.

My application connects to Mongo on windows using CreateGssapiCredential and works as expected.

When I try to run the same app in linux it fails with the error “An exception occurred while opening a connection to the server.”. Stack trace -

{
        "ClassName": "System.DllNotFoundException",
        "Message": "Unable to load shared library 'security.dll' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libsecurity.dll: cannot open shared object file: No such file or directory",
        "Data": null,
        "InnerException": null,
        "HelpURL": null,
        "StackTraceString": "   at MongoDB.Driver.Core.Authentication.Sspi.NativeMethods.AcquireCredentialsHandle(String principal, String package, SecurityCredentialUse credentialUsage, IntPtr logonId, IntPtr identity, Int32 keyCallback, IntPtr keyArgument, SspiHandle& credentialHandle, Int64& timestamp)\n   at MongoDB.Driver.Core.Authentication.Sspi.SecurityCredential.Acquire(SspiPackage package, String username, SecureString password)\n   at MongoDB.Driver.Core.Authentication.GssapiAuthenticator.FirstStep..ctor(String serviceName, String hostName, String realm, String username, SecureString password, SaslConversation conversation)\n   at MongoDB.Driver.Core.Authentication.GssapiAuthenticator.GssapiMechanism.Initialize(IConnection connection, SaslConversation conversation, ConnectionDescription description)\n   at MongoDB.Driver.Core.Authentication.SaslAuthenticator.Authenticate(IConnection connection, ConnectionDescription description, CancellationToken cancellationToken)\n   at MongoDB.Driver.Core.Authentication.AuthenticationHelper.Authenticate(IConnection connection, ConnectionDescription description, IReadOnlyList`1 authenticators, CancellationToken cancellationToken)\n   at MongoDB.Driver.Core.Connections.ConnectionInitializer.InitializeConnection(IConnection connection, CancellationToken cancellationToken)\n   at MongoDB.Driver.Core.Connections.BinaryConnection.OpenHelper(CancellationToken cancellationToken)",
        "RemoteStackTraceString": null,
        "RemoteStackIndex": 0,
        "ExceptionMethod": null,
        "HResult": -2146233052,
        "Source": "MongoDB.Driver.Core",
        "WatsonBuckets": null,
        "TypeLoadClassName": null,
        "TypeLoadAssemblyName": null,
        "TypeLoadMessageArg": null,
        "TypeLoadResourceID": 0
    }

I followed the documentation here for linux - Authenticate to MongoDB with the C# Driver — MongoDB Manual

and also the GSSAPI/Kerberos documentation here - mongo-csharp-driver/authentication.md at master · mongodb/mongo-csharp-driver · GitHub

This is the code that sets the connection -

var settings = new MongoClientSettings
            {
                Credential = MongoCredential.CreateGssapiCredential(test@testdomain.com)
                .WithMechanismProperty("CANONICALIZE_HOST_NAME", canonicalizeHostName),

                Servers = servers.Split(',').Select(s => new MongoServerAddress(s, port))
            };

            Database = new MongoClient(settings).GetDatabase(databaseName);

            _collectionName = collectionName ?? typeof(T).Name;
            _collection = Database.GetCollection<T>(collectionName);

Nothing seems to fix the problem. How do i get this .NET core 2.1 app to work in linux with GSSAPI?

James_Kovacs · February 23, 2021, 9:51pm

Hi, Girish,

Thank you for reaching out. We recently implemented GSSAPI/Kerberos support on Linux, which is now in our master branch but not in a stable release yet. We will be releasing it shortly in 2.12.0. More information can be found in https://jira.mongodb.org/browse/CSHARP-2474. (Note that the code for CSHARP-2474 did not make it into 2.12.0-beta1, but will be in the GA release.)

Your second documentation reference refers to the unreleased code that will be included in 2.12.0. The first documentation reference is to a very old 1.X-era driver that used libgsasl to implement Kerberos support. The 2.X-era driver implements Kerberos support on Windows using Windows-specific SASL APIs (present in security.dll) that have no direct Linux equivalent. Thus the DLL redirect technique documented in the 1.X documentation will not work with 2.X drivers.

You can either compile the 2.12.0 driver from source using the master branch or wait until we release the 2.12.0 NuGet package, which should happen in the next few weeks.

Sincerely,
James

Girish_Nair · February 24, 2021, 7:26pm

Thank you for the update.

Girish_Nair · February 27, 2021, 5:37pm

I compiled the 2.12.0 driver from source using master but i am still getting the same error - “Unable to load shared library ‘security.dll’ or one of its dependencies…”.

Is this document mongo-csharp-driver/authentication.md at master · mongodb/mongo-csharp-driver · GitHub upto date on what is required to get this working in RHEL?

As mentioned in the document i have libgssapi_krb5.so in the /usr/lib64/ and my dotnet core app is deployed under /app folder. This driver is looking for windows security.dll which does not exist in linux.

James_Kovacs · March 1, 2021, 6:21pm

Hi, Girish,

The linked documentation is up-to-date and the driver built from master has been tested against RHEL, Ubuntu, and a variety of other Linux distros.

If we detect that we are running on Linux (via RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) then we P/Invoke to libgssapi_krb5.so. If instead we detect running on Windows (via RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) then we P/Invoke to SSPI in security.dll. So it is rather surprising that the driver would be attempting to load security.dll on Linux.

Barring unforeseen events, we will be releasing the 2.12.0 driver in the next few days. Please try again with the official driver NuGet once it is released to see if it resolves your issue. If not, we will be happy to investigate further with you.

Sincerely,
James

James_Kovacs · March 3, 2021, 7:02pm

Hi, Girish,

The v2.12.0 release is now available on NuGet. Please try again with the official release and let us know if you encounter any issues.

Sincerely,
James

Girish_Nair · March 3, 2021, 9:46pm

it worked with v2.12.0. Thank you so much!!

James_Kovacs · March 4, 2021, 1:34am

That’s great news! We are glad that this new feature is working for you.

James

system · March 9, 2021, 1:36am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.