From 571a3041c71c37e9393a9d7651cda74011ec20fd Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Tue, 24 Feb 2026 10:26:16 -0300 Subject: [PATCH 01/21] Update authentication.md --- docs/details/authentication.md | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 10287579..da6bdd36 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -129,20 +129,31 @@ For external authentication, you create the `pbm` user in the format used by the For [Kerberos authentication :octicons-link-external-16:](https://docs.percona.com/percona-server-for-mongodb/latest/authentication.html#kerberos-authentication), create the `pbm` user in the `$external` database in the format `` (e.g. [pbm@PERCONATEST.COM](mailto:pbm@PERCONATEST.COM)). -Specify the following string for MongoDB connection URI: +1. Set the env variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for `pbm` user. -```bash -PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" -``` + ```bash + export KRB5_CLIENT_KTNAME=/path/to/keytab + ``` + +2. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**: + + ```bash + sudo -u {USER} kinit pbm@PERCONATEST.COM + ``` -Note that you must first obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**: + Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. + +3. Specify the following string for MongoDB connection URI with only the username: + ```bash + PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" + ``` + +You can alternatively authenticate using a connection string URI specifying your URL-encoded Kerberos principal, password, and the address of your MongoDB server: ```bash -sudo -u {USER} kinit pbm +PBM_MONGODB_URI="mongodb://%40:@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" ``` -Note that the `{USER}` is the user that you will run the `pbm-agent` process. - ### LDAP binding For [authentication and authorization via Native LDAP :octicons-link-external-16:](https://docs.percona.com/percona-server-for-mongodb/latest/authorization.html#authentication-and-authorization-with-direct-binding-to-ldap), you only create roles for LDAP groups in MongoDB as the users are stored and managed on the LDAP server. However, you still define the `$external` database as your authentication source: From 8aab741a3cfa495d288789a6d7899151e698008f Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Tue, 24 Feb 2026 10:30:27 -0300 Subject: [PATCH 02/21] Update authentication.md --- docs/details/authentication.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index da6bdd36..a127729b 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -131,22 +131,23 @@ For [Kerberos authentication :octicons-link-external-16:](https://docs.percona.c 1. Set the env variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for `pbm` user. - ```bash - export KRB5_CLIENT_KTNAME=/path/to/keytab - ``` + ```bash + export KRB5_CLIENT_KTNAME=/path/to/keytab + ``` 2. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**: - ```bash - sudo -u {USER} kinit pbm@PERCONATEST.COM - ``` + ```bash + sudo -u {USER} kinit pbm@PERCONATEST.COM + ``` Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. 3. Specify the following string for MongoDB connection URI with only the username: - ```bash - PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" - ``` + + ```bash + PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" + ``` You can alternatively authenticate using a connection string URI specifying your URL-encoded Kerberos principal, password, and the address of your MongoDB server: From 2404353dc0e75e4f2a2fb88b2b4e213b9e61e527 Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Tue, 24 Feb 2026 10:43:03 -0300 Subject: [PATCH 03/21] Update authentication.md --- docs/details/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index a127729b..ce009712 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -141,7 +141,7 @@ For [Kerberos authentication :octicons-link-external-16:](https://docs.percona.c sudo -u {USER} kinit pbm@PERCONATEST.COM ``` - Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. + Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. 3. Specify the following string for MongoDB connection URI with only the username: From 723981d7839d3406f37f2314d90c69fd21f5d061 Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Tue, 24 Feb 2026 12:17:40 -0300 Subject: [PATCH 04/21] Update authentication.md --- docs/details/authentication.md | 60 +++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 19 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index ce009712..6858ac35 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -129,31 +129,53 @@ For external authentication, you create the `pbm` user in the format used by the For [Kerberos authentication :octicons-link-external-16:](https://docs.percona.com/percona-server-for-mongodb/latest/authentication.html#kerberos-authentication), create the `pbm` user in the `$external` database in the format `` (e.g. [pbm@PERCONATEST.COM](mailto:pbm@PERCONATEST.COM)). -1. Set the env variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for `pbm` user. +You can choose any of these methods to authenticate `pbm` user against Kerberos: - ```bash - export KRB5_CLIENT_KTNAME=/path/to/keytab - ``` - -2. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**: - - ```bash - sudo -u {USER} kinit pbm@PERCONATEST.COM - ``` +=== "Using a Keytab (Recommended)" - Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. + 1. Set the env variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for `pbm` user. This way no password is required to get the ticket. + + ```bash + export KRB5_CLIENT_KTNAME=/path/to/keytab + ``` + + 2. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**: + + ```bash + sudo -u {USER} kinit -t /path/to/keytab pbm@PERCONATEST.COM + ``` + + Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. + + 3. Specify the following string for MongoDB connection URI with only the username: + + ```bash + PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" + ``` -3. Specify the following string for MongoDB connection URI with only the username: +=== "Requesting a ticket manually" - ```bash - PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" - ``` + 1. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**. Kerberos will prompt you for the password and issue a Ticket-Granting Ticket (TGT): + + ```bash + sudo -u {USER} kinit pbm@PERCONATEST.COM + ``` + + Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. + + 2. Specify the following string for MongoDB connection URI with only the username: + + ```bash + PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" + ``` -You can alternatively authenticate using a connection string URI specifying your URL-encoded Kerberos principal, password, and the address of your MongoDB server: +=== "Using username and password" -```bash -PBM_MONGODB_URI="mongodb://%40:@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" -``` + You can authenticate using a connection string URI specifying your URL-encoded Kerberos principal, password, and the address of your MongoDB server: + + ```bash + PBM_MONGODB_URI="mongodb://%40:@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" + ``` ### LDAP binding From 5be78a4ac0403c7cdd9b674badf8e1090f3801cf Mon Sep 17 00:00:00 2001 From: Ivan Groenewold <9805809+igroene@users.noreply.github.com> Date: Tue, 24 Feb 2026 12:52:05 -0300 Subject: [PATCH 05/21] Update docs/details/authentication.md Co-authored-by: Sandra Romanchenko <53295797+sandraromanchenko@users.noreply.github.com> --- docs/details/authentication.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 6858ac35..1563cdd2 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -139,13 +139,6 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: export KRB5_CLIENT_KTNAME=/path/to/keytab ``` - 2. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**: - - ```bash - sudo -u {USER} kinit -t /path/to/keytab pbm@PERCONATEST.COM - ``` - - Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. 3. Specify the following string for MongoDB connection URI with only the username: From 412cb21f9cc9dd7d0a2554d936fd0e7c4043d09e Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Mon, 2 Mar 2026 12:50:46 +0530 Subject: [PATCH 06/21] Minor changes --- docs/details/authentication.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 1563cdd2..9b24bacb 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -154,9 +154,10 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: sudo -u {USER} kinit pbm@PERCONATEST.COM ``` - Note that the `{USER}` is the user that you will run the `pbm-agent` process. PBM doesn't refresh its ticket, so when it expires you need to get a new one. + !!! note + Run the `pbm-agent` process as **{USER}**. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. - 2. Specify the following string for MongoDB connection URI with only the username: + 2. Specify the following string for the MongoDB connection URI with only the username: ```bash PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" From 2882b5a08df8c9efb15ba0431cc42d03a7b8782e Mon Sep 17 00:00:00 2001 From: Radoslaw Szulgo Date: Mon, 2 Mar 2026 14:56:13 +0100 Subject: [PATCH 07/21] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/details/authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 9b24bacb..baa92e4b 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -133,14 +133,14 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: === "Using a Keytab (Recommended)" - 1. Set the env variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for `pbm` user. This way no password is required to get the ticket. + 1. Set the environment variable `KRB5_CLIENT_KTNAME` with the path to the generated keytab for the `pbm` user. This way no password is required to get the ticket. ```bash export KRB5_CLIENT_KTNAME=/path/to/keytab ``` - 3. Specify the following string for MongoDB connection URI with only the username: + 2. Specify the following string for MongoDB connection URI with only the username: ```bash PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" From 9d458e334033f8dc498b50f8b7fc8b0acd2ded2e Mon Sep 17 00:00:00 2001 From: Radoslaw Szulgo Date: Mon, 2 Mar 2026 14:59:42 +0100 Subject: [PATCH 08/21] Apply suggestions from code review --- docs/details/authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index baa92e4b..117f41f2 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -140,7 +140,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: ``` - 2. Specify the following string for MongoDB connection URI with only the username: + 2. Specify the following MongoDB connection URI without the password: ```bash PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" @@ -157,7 +157,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: !!! note Run the `pbm-agent` process as **{USER}**. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. - 2. Specify the following string for the MongoDB connection URI with only the username: + 2. Specify the following MongoDB connection URI without the password. ```bash PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" From 7945a9459be2ef340ae682fa48a3876104d91a2a Mon Sep 17 00:00:00 2001 From: Radoslaw Szulgo Date: Mon, 2 Mar 2026 15:22:52 +0100 Subject: [PATCH 09/21] Update docs/details/authentication.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/details/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 117f41f2..52ebd852 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -151,7 +151,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: 1. Obtain the ticket for the `pbm` user with the `kinit` command before you start the **pbm-agent**. Kerberos will prompt you for the password and issue a Ticket-Granting Ticket (TGT): ```bash - sudo -u {USER} kinit pbm@PERCONATEST.COM + sudo -u {USER} kinit @ ``` !!! note From bac00f4b908e19839380965e619d705665836687 Mon Sep 17 00:00:00 2001 From: Rasika Chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:09:19 +0530 Subject: [PATCH 10/21] Update docs/details/authentication.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- docs/details/authentication.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 52ebd852..e566a5ed 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -165,11 +165,13 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: === "Using username and password" - You can authenticate using a connection string URI specifying your URL-encoded Kerberos principal, password, and the address of your MongoDB server: + You can authenticate using a connection string URI specifying your URL-encoded Kerberos principal and password, and the address of your MongoDB server: ```bash PBM_MONGODB_URI="mongodb://%40:@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" ``` + + Make sure that `` is also percent-encoded if it contains reserved characters (see [Passwords with special characters](#passwords-with-special-characters)). ### LDAP binding From 5b8f26ebdbf0ad73bdbffa8b288ef57e5097778d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 08:44:35 +0000 Subject: [PATCH 11/21] Initial plan From ccc6e6184d600f4c5a74f0e5445a21c62b9d0b4d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 08:45:50 +0000 Subject: [PATCH 12/21] Clarify {USER} placeholder and fix formatting consistency in Kerberos manual ticket section Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> --- docs/details/authentication.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index e566a5ed..cb59fcad 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -154,8 +154,10 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: sudo -u {USER} kinit @ ``` + where `{USER}` is the OS user account that runs the `pbm-agent` process. + !!! note - Run the `pbm-agent` process as **{USER}**. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. + Run the `pbm-agent` process as `{USER}`. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. 2. Specify the following MongoDB connection URI without the password. From c2f39c1d4c1dbfc0165c280f381f2b2c9ecdee8c Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:31:40 +0530 Subject: [PATCH 13/21] Update authentication.md --- docs/details/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index e566a5ed..a2d42f50 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -155,7 +155,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: ``` !!! note - Run the `pbm-agent` process as **{USER}**. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. + Run the `pbm-agent` process as **{USER}**. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. 2. Specify the following MongoDB connection URI without the password. From 0862a40601b24eba9dd6330a7dacf561b384e11c Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:36:00 +0530 Subject: [PATCH 14/21] Update authentication.md --- docs/details/authentication.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 7f71161b..ebc66c1e 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -157,12 +157,11 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. !!! note - Run the `pbm-agent` process as **{USER}**. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. + Run the `pbm-agent` process as `{USER}`. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. 2. Specify the following MongoDB connection URI without the password. - ```bash - PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" + ```bash PBM_MONGODB_URI="mongodb://%40@:27018/?authMechanism=GSSAPI&authSource=%24external&replSetName=xxxx" ``` === "Using username and password" From c66901a4593b028f70a741927742b11129df5087 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 14:41:05 +0530 Subject: [PATCH 15/21] Update authentication.md --- docs/details/authentication.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index ebc66c1e..ac54995e 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -156,8 +156,10 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. - !!! note - Run the `pbm-agent` process as `{USER}`. PBM does not refresh its authentication ticket automatically, so when the ticket expires you must obtain a new one. + !!! note + - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. + + - PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password. From cdee026de0c6d506d56fc7b217da8d080f7aabfb Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:19:36 +0530 Subject: [PATCH 16/21] Update authentication.md --- docs/details/authentication.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index ac54995e..c623b61f 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -156,10 +156,9 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. - !!! note - - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. - - - PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. + !!! note + - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. + - PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password. From 9f441b405883e02250d655a2fa17636aea117211 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:25:39 +0530 Subject: [PATCH 17/21] Update authentication.md --- docs/details/authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index c623b61f..8b1f48b8 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -157,8 +157,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. !!! note - - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. - - PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. + Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password. From 9ea8dd7022cecafddff6a83302520bb7b5e66983 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:30:26 +0530 Subject: [PATCH 18/21] Update authentication.md --- docs/details/authentication.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 8b1f48b8..5f3582ef 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -157,6 +157,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. !!! note + Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password. From 6fc7cc7046a6cb0287df8b14f36a0e6a318d4ca6 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:34:56 +0530 Subject: [PATCH 19/21] Update authentication.md --- docs/details/authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 5f3582ef..ddecb719 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -156,9 +156,9 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. - !!! note + !!! note - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. + Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password. From 36541ab41b0987f86a5839514c53824c6aded607 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:37:37 +0530 Subject: [PATCH 20/21] Update authentication.md --- docs/details/authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index ddecb719..9eac2b2a 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -157,8 +157,7 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. !!! note - - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. + Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password. From 308cc6b1eca0ea8ce114ba25449223a17e463041 Mon Sep 17 00:00:00 2001 From: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com> Date: Thu, 5 Mar 2026 15:40:11 +0530 Subject: [PATCH 21/21] Update authentication.md --- docs/details/authentication.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/details/authentication.md b/docs/details/authentication.md index 9eac2b2a..4a80fab8 100644 --- a/docs/details/authentication.md +++ b/docs/details/authentication.md @@ -157,7 +157,8 @@ You can choose any of these methods to authenticate `pbm` user against Kerberos: where `{USER}` is the OS user account that runs the `pbm-agent` process. !!! note - Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. + + Run `pbm-agent` as **`{USER}`**, where `{USER}` is the OS account that authenticates to Kerberos and owns the ticket cache. PBM does not refresh Kerberos tickets automatically. When the ticket expires, run `kinit` again **as the same `{USER}`** so the ticket cache is shared with `pbm-agent`. 2. Specify the following MongoDB connection URI without the password.