MongoDB 4.4 Enterprise and Kerberos Authentication

I am trying to setup Kerberos authentication to work with MongoDB Enterprise 4.4.
My OS is Centos 8.
I have configured SELinux as described in https://docs.mongodb.com/manual/tutorial/install-mongodb-enterprise-on-red-hat/.

Summary
In summary, I have no problem starting the mongod service if I follow the example shown by MongoDB docs (https://docs.mongodb.com/manual/tutorial/control-access-to-mongodb-with-kerberos-authentication/):

env KRB5_KTNAME=/data/mongodb/mongodb-svr.keytab 
mongod --tls --port 29000 --dbpath /data/mongodb --setParameter authenticationMechanisms=GSSAPI

(My instance has TLS activated and it’s running using a custom port)

But once trying to start the service using systemctl, it just didn’t want to run.

Objective
What I want to achieve is to successfully use systemctl to stop/start the mongod service.

In essence, my /etc/mongod.conf is as follows:

security:
  authorization: enabled
  ldap:
    servers: myldap.mydomain.com:636
    bind:
      queryUser: LDAPQuery@mydomain.com
      queryPassword: somepassword
    transportSecurity: tls
setParameter:
  authenticationMechanisms: "PLAIN,SCRAM-SHA-256,MONGODB-X509"

The Setup
What I have for setup:

  1. I’m using Active Directory (Windows Server 2019) and Centos 8.

  2. I have configured the LDAP so it’s accepting TLS/SSL (also have tested that everything works using LDAPAdmin.exe tool from another Windows machine).

  3. No issue running kinit or klist from the MongoDB machine.

  4. I have successfully integrated LDAP authentication with MongoDB before this (using simple option for bind).

  5. I have no issue authenticating to the MongoDB instance as one of domain users using LDAP integration (by configuring the userToDNMapping and authz.queryTemplate parameters).

  6. Custom MongoDB port: tcp/29000

  7. Custom MongoDB data path: /data/mongodb

  8. The CentOS 8 machine has already joined the domain (using realm join).

Configuration So Far
Now, I have tried to do the following for making Kerberos work:

  1. Created a Managed Service Account (svc_mongodb) on AD.

  2. Created the SPN as follows:

setspn -S mongodb/mongodb-svr.mydomain.com:29000@MYDOMAIN.COM svc_mongodb
  1. Created the keytab file using ktpass:
ktpass /out mongodb-svr.keytab /princ mongodb/mongodb-svr.mydomain.com:29000@MYDOMAIN.COM /mapuser svc_mongod /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /pass somepassword
  1. Put the keytab on /data/mongodb/mongodb-svr.keytab (on the CentOS machine). Also chown and chmod it to mongod user and 400.

  2. Start the mongod service with the command line (this works):

env KRB5_KTNAME=/data/mongodb/mongodb-svr.keytab 
mongod --tls --port 29000 --dbpath /data/mongodb --setParameter authenticationMechanisms=GSSAPI

What Failed
However, when I change the /etc/mongod.conf to this:

setParameter:
  authenticationMechanisms: "GSSAPI,SCRAM-SHA-256,MONGODB-X509"

I got this error:
Unspecified GSS failure. Minor code may provide more information; Minor code 13; Permission denied

Looking at the audit log, I noticed this:

type=AVC msg=audit(1624773960.885:206): avc:  denied  { open } for  pid=2771 comm="mongod" path="/etc/krb5.keytab" dev="dm-0" ino=8388741 scontext=system_u:system_r:mongod_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=file permissive=0

Okay, that’s expected since I haven’t configured the SELinux file context so that mongod can open it.
But I don’t want to if possible, because I want to use the specific keytab file instead.

What I Have Tried

  1. I tried to follow https://docs.mongodb.com/manual/tutorial/control-access-to-mongodb-with-kerberos-authentication/#std-label-setting-krb5_ktname by editing /etc/sysconfig/mongod on my Centos 8.

  2. I tried to edit the systemctl service file (/usr/lib/systemd/system/mongod.service) to add this line: (afterwards run systemctl daemon-reload).

ExecStartPre=/usr/bin/env KRB5_KTNAME=/data/mongodb/mongodb-svr.keytab
  1. Created a .profile under the mongod’s home directory and export the KRB5_KTNAME variable there.

  2. Created a krb.sh under the /etc/profile.d directory and export the KRB5_KTNAME variable there.

None of the above worked so far.
So I’m confused as to why (and how exactly can I set this variable).
I really want to avoid having to setfacl -m the /etc/krb5.keytab file, or having to create additional SELinux policy (should be easily done via audit2allow).

If anyone could point my mistakes, that’d be of great help.
Thanks!