koji using krb - having problems

steve.webb at beatport.com steve.webb at beatport.com
Fri Dec 17 21:51:29 UTC 2010 

Ok, I'm still not getting access to krb, but I feel that I'm getting 
close.  (Thanks for all of your help already, BTW)

[root at bpbuild001 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: swebb at AUTH.BEATPORTCORP.NET

Valid starting     Expires            Service principal
12/17/10 14:27:51  12/18/10 02:27:09  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET

[root at bpbuild001 ~]# su - koji
[koji at bpbuild001 ~]$ psql
psql (8.4.5)
Type "help" for help.

koji=> select * from user_perms;
  user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active 
---------+---------+--------------+--------------+------------+------------+--------
        1 |       1 |            1 |              |          1 |            | t
        2 |       1 |            2 |              |          2 |            | t
(2 rows)

koji=> select * from users;
  id | name  | password | status | usertype |              krb_principal 
----+-------+----------+--------+----------+------------------------------------------
   1 | koji  |          |      0 |        0 | koji at bpbuild001.co0.nar.beatportcorp.net
   2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
(2 rows)

koji=>
[koji at bpbuild001 ~]$ logout
[root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
[root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
[root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
Kerberos authentication failed: Key table entry not found (-1765328203)
[root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
Kerberos authentication failed: Key table entry not found (-1765328203)

My keytabs that I've been trying:

/etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net
/etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net
/etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET

I've tried many combinations but none of them seem to be working.  The 
most common errors are (in order of # of occurrences):

Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
Kerberos authentication failed: Key table entry not found (-1765328203)

I'm very good with kerberos, but I'm hoping that this may help us get 
close to getting kerberos working.

Is there a way to turn on logging for the kerberos authentication stuff 
somewhere?  Using --debug doesn't seem to provide any additional 
information.

My /etc/koji-hub/hub.conf now:

[snip]
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net
AuthKeytab = /etc/krb5.keytab
ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net
HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net
[snip]

Thanks again.

- Steve

On Fri, 17 Dec 2010, Mike Bonnet wrote:

> On 12/17/2010 12:35 PM, steve.webb at beatport.com wrote:
>>> The koji cli expects the service principal of the hub to be host/<server
>>> name>@<last 2 tokens of the server name>.  So in your case it is trying
>>> to lookup a service principal in the BEATPORTCORP.NET domain, rather
>>> than AUTH.BEATPORTCORP.NET.  Koji should probably be determining the
>>> domain from the client principal, rather than the DNS name.  In the
>>> meantime, you could patch __init__.py:_serverPrincipal() to return the
>>> correct value.
>>
>> I just changed it to accept 3 parts to the server name by changing the 2s
>> to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
>>
>>      def _serverPrincipal(self):
>>          """Get the Kerberos principal of the server we're connecting
>>          to, based on baseurl.  Assume the last two components of the
>>          server name are the Kerberos realm."""
>>          servername = urlparse.urlparse(self.baseurl)[1]
>>          portspec = servername.find(':')
>>          if portspec != -1:
>>              servername = servername[:portspec]
>>
>>          parts = servername.split('.')
>>          if len(parts) < 3:
>>              domain = servername.upper()
>>          else:
>>              domain = '.'.join(parts[-3:]).upper()
>>
>>          return 'host/%s@%s' % (servername, domain)
>>
>>
>> Still getting authentication failure:
>>
>> [root at bpbuild001 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>
>> Valid starting     Expires            Service principal
>> 12/17/10 09:39:56  12/17/10 21:37:58  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>
>> [root at bpbuild001 ~]# koji add-user kojira
>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>
> Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
>
> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>
> and AuthKeytab should be pointing at a keytab for that principal.
>
> Yes, this could be a lot more flexible.
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>

-- 
Steve Webb | System Administrator
Beatport | Music for DJ's
------------------------------------------
2399 Blake Street, Suite 170
Denver, Colorado USA 80205
tel: +1.720.932.9103
fax: +1.720.932.9104
noc: +1.303.565.2710
mobile: +1.303.564.4269

More information about the buildsys mailing list