koji using krb - having problems

Mike Bonnet mikeb at redhat.com
Wed Jan 5 17:35:45 UTC 2011 

On 01/05/2011 12:19 PM, steve.webb at beatport.com wrote:
> [koji at bpbuild001 ~]$ psql
> psql (8.4.5)
> Type "help" for help.
> 
> koji=> select * from users;
>   id | name  | password | status | usertype |                         krb_principal 
> ----+-------+----------+--------+----------+----------------------------------------------------------------
>    2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
>    1 | koji  |          |      0 |        0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> (2 rows)
> 
> koji=> \q
> [koji at bpbuild001 ~]$ koji add-user kojira
> Kerberos authentication failed: Matching credential not found (-1765328243)
> [koji at bpbuild001 ~]$ kinit swebb
> Password for swebb at AUTH.BEATPORTCORP.NET: 
> [koji at bpbuild001 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: swebb at AUTH.BEATPORTCORP.NET
> 
> Valid starting     Expires            Service principal
> 01/05/11 10:15:13  01/05/11 22:14:30  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
> [koji at bpbuild001 ~]$ cat /etc/koji.conf
> [koji]
> 
> ;configuration for koji cli tool
> 
> ;url of XMLRPC server
> server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub
> 
> ;url of web interface
> weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji
> 
> ;url of package download site
> pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages
> 
> ;path to the koji top directory
> topdir = /mnt/koji
> 
> ;configuration for SSL authentication
> 
> ;client certificate
> cert = ~/.fedora.cert
> 
> ;certificate of the CA that issued the client certificate
> ca = ~/.fedora-server-ca.cert
> 
> ;certificate of the CA that issued the HTTP server certificate
> serverca = ~/.fedora-server-ca.cert
> [koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET

Sorry, that should have been kinit, not klist.  You'll probably need to
run it as root.  Also, make sure /etc/krb5.keytab is readable by the
apache user.

Also, I don't think your patch to __init__.py:_serverPrincipal() is
correct.  Try hard-coding the domain to AUTH.BEATPORTCORP.NET.

> Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET").
> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
>          -c specifies credentials cache
>          -k specifies keytab
>             (Default is credentials cache)
>          -e shows the encryption type
>          -V shows the Kerberos version and exits
>          options for credential caches:
>                  -d shows the submitted authorization data types
>                  -f shows credentials flags
>                  -s sets exit status based on valid tgt existence
>                  -a displays the address list
>                          -n do not reverse-resolve
>          options for keytabs:
>                  -t shows keytab entry timestamps
>                  -K shows keytab entry DES keys
> [koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> klist: Permission denied while starting keytab scan
> [koji at bpbuild001 ~]$ logout
> [root at bpbuild001 ~]# klist -kt /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>     1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>     1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>     1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>     1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> [root at bpbuild001 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: swebb at AUTH.BEATPORTCORP.NET
> 
> Valid starting     Expires            Service principal
> 01/05/11 09:49:04  01/05/11 21:48:17  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
> 
> - Steve
> 
> On Mon, 3 Jan 2011, Mike Bonnet wrote:
> 
>> On 12/29/2010 11:06 AM, steve.webb at beatport.com wrote:
>>> Still stuck here.  Anyone around during the holidays that can help?
>>
>> Could you post the /etc/koji.conf from the client machine (the machine
>> where you're running "koji add-user kojira")?
>>
>> Also, try running:
>>
>> klist -kt /etc/krb5.keytab \
>>  host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>
>> and then klist, and post the output of both commands.
>>
>>> - Steve
>>>
>>> On Fri, 17 Dec 2010, steve.webb at beatport.com wrote:
>>>
>>>> Ok, all changed, still no-go:
>>>>
>>>> [root at bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>>> ## If ServerOffline is True, the server will always report a ServerOffline fault (with
>>>> ## OfflineMessage as the fault string).
>>>> ## If LockOut is True, the server will report a ServerOffline fault for all non-admin
>>>> ## requests.
>>>>
>>>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> AuthKeytab = /etc/krb5.keytab
>>>> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> HostPrincipalFormat = compile/%s at AUTH.BEATPORTCORP.NET
>>>>
>>>> [root at bpbuild001 ~]# klist -k /etc/krb5.keytab
>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ---- --------------------------------------------------------------------------
>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> [root at bpbuild001 ~]# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 12/17/10 15:36:29  12/18/10 03:30:18  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>>> [root at bpbuild001 ~]# su - koji
>>>> [koji at bpbuild001 ~]$ psql
>>>> psql (8.4.5)
>>>> Type "help" for help.
>>>>
>>>> koji=> select * from users;
>>>>  id | name  | password | status | usertype |                         krb_principal
>>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>>>   2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
>>>>   1 | koji  |          |      0 |        0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> (2 rows)
>>>>
>>>> koji=> \q
>>>> [koji at bpbuild001 ~]$ logout
>>>> [root at bpbuild001 ~]# koji add-user kojira
>>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>>>
>>>> Q: The error now says "Server not found" - should the principal in psql be
>>>> host/...  ??
>>>>
>>>> - Steve
>>>
>>
>> --
>> buildsys mailing list
>> buildsys at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>
>

More information about the buildsys mailing list