koji using krb - having problems
Mike Bonnet
mikeb at redhat.com
Fri Dec 17 22:51:27 UTC 2010
There are 2 principals we're talking about here, the server principal
(host/...) and your client principal swebb at ...
When using "koji --authtype=kerberos" it will automatically use your
client principal, assuming you have kinit'ed successfully. You should
never be passing --principal or --keytab to the koji cli under normal usage.
On 12/17/2010 04:51 PM, steve.webb at beatport.com wrote:
> Ok, I'm still not getting access to krb, but I feel that I'm getting
> close. (Thanks for all of your help already, BTW)
>
> [root at bpbuild001 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: swebb at AUTH.BEATPORTCORP.NET
>
> Valid starting Expires Service principal
> 12/17/10 14:27:51 12/18/10 02:27:09 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>
> [root at bpbuild001 ~]# su - koji
> [koji at bpbuild001 ~]$ psql
> psql (8.4.5)
> Type "help" for help.
>
> koji=> select * from user_perms;
> user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active
> ---------+---------+--------------+--------------+------------+------------+--------
> 1 | 1 | 1 | | 1 | | t
> 2 | 1 | 2 | | 2 | | t
> (2 rows)
>
> koji=> select * from users;
> id | name | password | status | usertype | krb_principal
> ----+-------+----------+--------+----------+------------------------------------------
> 1 | koji | | 0 | 0 | koji at bpbuild001.co0.nar.beatportcorp.net
That is not a valid krb_principal, it should be:
koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> 2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
> (2 rows)
>
> koji=>
> [koji at bpbuild001 ~]$ logout
> [root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
> Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
> [root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
> Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
> Kerberos authentication failed: Key table entry not found (-1765328203)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
> Kerberos authentication failed: Key table entry not found (-1765328203)
>
> My keytabs that I've been trying:
>
> /etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net
> /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net
> /etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
This is the keytab that you should be referencing in AuthKeytab in
/etc/koji-hub/hub.conf.
> I've tried many combinations but none of them seem to be working. The
> most common errors are (in order of # of occurrences):
>
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
> Kerberos authentication failed: Key table entry not found (-1765328203)
>
> I'm very good with kerberos, but I'm hoping that this may help us get
> close to getting kerberos working.
>
> Is there a way to turn on logging for the kerberos authentication stuff
> somewhere? Using --debug doesn't seem to provide any additional
> information.
>
> My /etc/koji-hub/hub.conf now:
>
> [snip]
> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net
You need to append @AUTH.BEATPORTCORP.NET to this.
> AuthKeytab = /etc/krb5.keytab
> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net
Same here.
> HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net
Same here. Also, you need to leave the %s, it'll be substituted for the
hostname of each different builder.
> [snip]
>
> Thanks again.
>
> - Steve
>
> On Fri, 17 Dec 2010, Mike Bonnet wrote:
>
>> On 12/17/2010 12:35 PM, steve.webb at beatport.com wrote:
>>>> The koji cli expects the service principal of the hub to be host/<server
>>>> name>@<last 2 tokens of the server name>. So in your case it is trying
>>>> to lookup a service principal in the BEATPORTCORP.NET domain, rather
>>>> than AUTH.BEATPORTCORP.NET. Koji should probably be determining the
>>>> domain from the client principal, rather than the DNS name. In the
>>>> meantime, you could patch __init__.py:_serverPrincipal() to return the
>>>> correct value.
>>>
>>> I just changed it to accept 3 parts to the server name by changing the 2s
>>> to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
>>>
>>> def _serverPrincipal(self):
>>> """Get the Kerberos principal of the server we're connecting
>>> to, based on baseurl. Assume the last two components of the
>>> server name are the Kerberos realm."""
>>> servername = urlparse.urlparse(self.baseurl)[1]
>>> portspec = servername.find(':')
>>> if portspec != -1:
>>> servername = servername[:portspec]
>>>
>>> parts = servername.split('.')
>>> if len(parts) < 3:
>>> domain = servername.upper()
>>> else:
>>> domain = '.'.join(parts[-3:]).upper()
>>>
>>> return 'host/%s@%s' % (servername, domain)
>>>
>>>
>>> Still getting authentication failure:
>>>
>>> [root at bpbuild001 ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>
>>> Valid starting Expires Service principal
>>> 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>>
>>> [root at bpbuild001 ~]# koji add-user kojira
>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>
>> Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
>>
>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>
>> and AuthKeytab should be pointing at a keytab for that principal.
>>
>> Yes, this could be a lot more flexible.
>> --
>> buildsys mailing list
>> buildsys at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>
>
More information about the buildsys
mailing list