koji using krb - having problems

Mike Bonnet mikeb at redhat.com
Fri Dec 17 22:51:27 UTC 2010 

There are 2 principals we're talking about here, the server principal
(host/...) and your client principal swebb at ...

When using "koji --authtype=kerberos" it will automatically use your
client principal, assuming you have kinit'ed successfully.  You should
never be passing --principal or --keytab to the koji cli under normal usage.

On 12/17/2010 04:51 PM, steve.webb at beatport.com wrote:
> Ok, I'm still not getting access to krb, but I feel that I'm getting 
> close.  (Thanks for all of your help already, BTW)
> 
> [root at bpbuild001 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: swebb at AUTH.BEATPORTCORP.NET
> 
> Valid starting     Expires            Service principal
> 12/17/10 14:27:51  12/18/10 02:27:09  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
> 
> [root at bpbuild001 ~]# su - koji
> [koji at bpbuild001 ~]$ psql
> psql (8.4.5)
> Type "help" for help.
> 
> koji=> select * from user_perms;
>   user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active 
> ---------+---------+--------------+--------------+------------+------------+--------
>         1 |       1 |            1 |              |          1 |            | t
>         2 |       1 |            2 |              |          2 |            | t
> (2 rows)
> 
> koji=> select * from users;
>   id | name  | password | status | usertype |              krb_principal 
> ----+-------+----------+--------+----------+------------------------------------------
>    1 | koji  |          |      0 |        0 | koji at bpbuild001.co0.nar.beatportcorp.net

That is not a valid krb_principal, it should be:

koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET

>    2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
> (2 rows)
> 
> koji=>
> [koji at bpbuild001 ~]$ logout
> [root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
> Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
> [root at bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
> Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira
> Kerberos authentication failed: Key table entry not found (-1765328203)
> [root at bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira
> Kerberos authentication failed: Key table entry not found (-1765328203)
> 
> My keytabs that I've been trying:
> 
> /etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net
> /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net
> /etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET

This is the keytab that you should be referencing in AuthKeytab in
/etc/koji-hub/hub.conf.

> I've tried many combinations but none of them seem to be working.  The 
> most common errors are (in order of # of occurrences):
> 
> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
> Kerberos authentication failed: Decrypt integrity check failed (-1765328353)
> Kerberos authentication failed: Key table entry not found (-1765328203)
> 
> I'm very good with kerberos, but I'm hoping that this may help us get 
> close to getting kerberos working.
> 
> Is there a way to turn on logging for the kerberos authentication stuff 
> somewhere?  Using --debug doesn't seem to provide any additional 
> information.
> 
> My /etc/koji-hub/hub.conf now:
> 
> [snip]
> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net

You need to append @AUTH.BEATPORTCORP.NET to this.

> AuthKeytab = /etc/krb5.keytab
> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net

Same here.

> HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net

Same here.  Also, you need to leave the %s, it'll be substituted for the
hostname of each different builder.

> [snip]
> 
> Thanks again.
> 
> - Steve
> 
> On Fri, 17 Dec 2010, Mike Bonnet wrote:
> 
>> On 12/17/2010 12:35 PM, steve.webb at beatport.com wrote:
>>>> The koji cli expects the service principal of the hub to be host/<server
>>>> name>@<last 2 tokens of the server name>.  So in your case it is trying
>>>> to lookup a service principal in the BEATPORTCORP.NET domain, rather
>>>> than AUTH.BEATPORTCORP.NET.  Koji should probably be determining the
>>>> domain from the client principal, rather than the DNS name.  In the
>>>> meantime, you could patch __init__.py:_serverPrincipal() to return the
>>>> correct value.
>>>
>>> I just changed it to accept 3 parts to the server name by changing the 2s
>>> to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
>>>
>>>      def _serverPrincipal(self):
>>>          """Get the Kerberos principal of the server we're connecting
>>>          to, based on baseurl.  Assume the last two components of the
>>>          server name are the Kerberos realm."""
>>>          servername = urlparse.urlparse(self.baseurl)[1]
>>>          portspec = servername.find(':')
>>>          if portspec != -1:
>>>              servername = servername[:portspec]
>>>
>>>          parts = servername.split('.')
>>>          if len(parts) < 3:
>>>              domain = servername.upper()
>>>          else:
>>>              domain = '.'.join(parts[-3:]).upper()
>>>
>>>          return 'host/%s@%s' % (servername, domain)
>>>
>>>
>>> Still getting authentication failure:
>>>
>>> [root at bpbuild001 ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>
>>> Valid starting     Expires            Service principal
>>> 12/17/10 09:39:56  12/17/10 21:37:58  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>>
>>> [root at bpbuild001 ~]# koji add-user kojira
>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>
>> Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
>>
>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>
>> and AuthKeytab should be pointing at a keytab for that principal.
>>
>> Yes, this could be a lot more flexible.
>> --
>> buildsys mailing list
>> buildsys at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>
>

More information about the buildsys mailing list