koji using krb - having problems
steve.webb at beatport.com
steve.webb at beatport.com
Fri Dec 17 21:51:29 UTC 2010
Ok, I'm still not getting access to krb, but I feel that I'm getting
close. (Thanks for all of your help already, BTW)
[root at bpbuild001 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: swebb at AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal
12/17/10 14:27:51 12/18/10 02:27:09 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
[root at bpbuild001 ~]# su - koji
[koji at bpbuild001 ~]$ psql
psql (8.4.5)
Type "help" for help.
koji=> select * from user_perms;
user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active
---------+---------+--------------+--------------+------------+------------+--------
1 | 1 | 1 | | 1 | | t
2 | 1 | 2 | | 2 | | t
(2 rows)
koji=> select * from users;
id | name | password | status | usertype | krb_principal
----+-------+----------+--------+----------+------------------------------------------
1 | koji | | 0 | 0 | koji at bpbuild001.co0.nar.beatportcorp.net
2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
(2 rows)
koji=>
[koji at bpbuild001 ~]$ logout
[root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
[root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
[root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
[root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
Kerberos authentication failed: Key table entry not found (-1765328203)
[root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
Kerberos authentication failed: Key table entry not found (-1765328203)
My keytabs that I've been trying:
/etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net
/etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net
/etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
I've tried many combinations but none of them seem to be working. The
most common errors are (in order of # of occurrences):
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
Kerberos authentication failed: Key table entry not found (-1765328203)
I'm very good with kerberos, but I'm hoping that this may help us get
close to getting kerberos working.
Is there a way to turn on logging for the kerberos authentication stuff
somewhere? Using --debug doesn't seem to provide any additional
information.
My /etc/koji-hub/hub.conf now:
[snip]
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net
AuthKeytab = /etc/krb5.keytab
ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net
HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net
[snip]
Thanks again.
- Steve
On Fri, 17 Dec 2010, Mike Bonnet wrote:
> On 12/17/2010 12:35 PM, steve.webb at beatport.com wrote:
>>> The koji cli expects the service principal of the hub to be host/<server
>>> name>@<last 2 tokens of the server name>. So in your case it is trying
>>> to lookup a service principal in the BEATPORTCORP.NET domain, rather
>>> than AUTH.BEATPORTCORP.NET. Koji should probably be determining the
>>> domain from the client principal, rather than the DNS name. In the
>>> meantime, you could patch __init__.py:_serverPrincipal() to return the
>>> correct value.
>>
>> I just changed it to accept 3 parts to the server name by changing the 2s
>> to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
>>
>> def _serverPrincipal(self):
>> """Get the Kerberos principal of the server we're connecting
>> to, based on baseurl. Assume the last two components of the
>> server name are the Kerberos realm."""
>> servername = urlparse.urlparse(self.baseurl)[1]
>> portspec = servername.find(':')
>> if portspec != -1:
>> servername = servername[:portspec]
>>
>> parts = servername.split('.')
>> if len(parts) < 3:
>> domain = servername.upper()
>> else:
>> domain = '.'.join(parts[-3:]).upper()
>>
>> return 'host/%s@%s' % (servername, domain)
>>
>>
>> Still getting authentication failure:
>>
>> [root at bpbuild001 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>
>> Valid starting Expires Service principal
>> 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>
>> [root at bpbuild001 ~]# koji add-user kojira
>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>
> Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
>
> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>
> and AuthKeytab should be pointing at a keytab for that principal.
>
> Yes, this could be a lot more flexible.
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
--
Steve Webb | System Administrator
Beatport | Music for DJ's
------------------------------------------
2399 Blake Street, Suite 170
Denver, Colorado USA 80205
tel: +1.720.932.9103
fax: +1.720.932.9104
noc: +1.303.565.2710
mobile: +1.303.564.4269
More information about the buildsys
mailing list