koji using krb - having problems

Mike Bonnet mikeb at redhat.com
Fri Dec 17 17:20:41 UTC 2010 

On 12/17/2010 11:44 AM, steve.webb at beatport.com wrote:
> Ok.
> 
> I got a krb ticket, gave myself a admin privs, then tried to add a user as 
> myself and I'm still getting "authentication failed".
> 
> koji=> insert into users (name, krb_principal, status, usertype) values ('swebb', 'swebb at AUTH.BEATPORTCORP.NET', 0, 0);
> INSERT 0 1
> koji=> select * from users;
>   id | name  | password | status | usertype |              krb_principal 
> ----+-------+----------+--------+----------+------------------------------------------
>    1 | koji  |          |      0 |        0 | koji at bpbuild001.co0.nar.beatportcorp.net
>    2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
> (2 rows)
> 
> koji=> insert into user_perms (user_id, perm_id, creator_id) values (2, 1, 2);
> INSERT 0 1
> koji=> select * from user_perms;
>   user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active 
> ---------+---------+--------------+--------------+------------+------------+--------
>         1 |       1 |            1 |              |          1 |            | t
>         2 |       1 |            2 |              |          2 |            | t
> (2 rows)
> 
> [root at bpbuild001 etc]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: swebb at AUTH.BEATPORTCORP.NET
> 
> Valid starting     Expires            Service principal
> 12/17/10 09:39:56  12/17/10 21:37:58  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
> [root at bpbuild001 etc]# koji add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> 
> Is there still something missing?

The koji cli expects the service principal of the hub to be host/<server
name>@<last 2 tokens of the server name>.  So in your case it is trying
to lookup a service principal in the BEATPORTCORP.NET domain, rather
than AUTH.BEATPORTCORP.NET.  Koji should probably be determining the
domain from the client principal, rather than the DNS name.  In the
meantime, you could patch __init__.py:_serverPrincipal() to return the
correct value.

> - Steve Webb
> 
> On Thu, 16 Dec 2010, Anthony Messina wrote:
> 
>> On 12/16/2010 06:14 PM, steve.webb at beatport.com wrote:
>>> [root at bpbuild001 etc]# koji add-user kojira
>>> Unable to log in, no authentication methods available
>>>
>>> The document doesn't have any methods to verify/debug that I've gotten the
>>> krb configs correct..  Is there a way to debug that I've done the krb
>>> configs properly?
>>
>> You are doing this under the root account.  I'm guessing that your root
>> user might not be the koji administrative user you added during setup
>> and that you don't have kerberos credentials as that administrative user.
>>
>> If the koji admin user you created had a username of 'steve' and
>> kerberos principal of steve at EXAMPLE.COM, then if you are logged in as
>> 'steve' and have done a kinit steve at EXAMPLE.COM, you should then be able
>> to perform the tasks.
>>
>> -A
>>
>>
>

More information about the buildsys mailing list