koji using krb - having problems
Mike Bonnet
mikeb at redhat.com
Wed Jan 5 17:35:45 UTC 2011
On 01/05/2011 12:19 PM, steve.webb at beatport.com wrote:
> [koji at bpbuild001 ~]$ psql
> psql (8.4.5)
> Type "help" for help.
>
> koji=> select * from users;
> id | name | password | status | usertype | krb_principal
> ----+-------+----------+--------+----------+----------------------------------------------------------------
> 2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
> 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> (2 rows)
>
> koji=> \q
> [koji at bpbuild001 ~]$ koji add-user kojira
> Kerberos authentication failed: Matching credential not found (-1765328243)
> [koji at bpbuild001 ~]$ kinit swebb
> Password for swebb at AUTH.BEATPORTCORP.NET:
> [koji at bpbuild001 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: swebb at AUTH.BEATPORTCORP.NET
>
> Valid starting Expires Service principal
> 01/05/11 10:15:13 01/05/11 22:14:30 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
> [koji at bpbuild001 ~]$ cat /etc/koji.conf
> [koji]
>
> ;configuration for koji cli tool
>
> ;url of XMLRPC server
> server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub
>
> ;url of web interface
> weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji
>
> ;url of package download site
> pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages
>
> ;path to the koji top directory
> topdir = /mnt/koji
>
> ;configuration for SSL authentication
>
> ;client certificate
> cert = ~/.fedora.cert
>
> ;certificate of the CA that issued the client certificate
> ca = ~/.fedora-server-ca.cert
>
> ;certificate of the CA that issued the HTTP server certificate
> serverca = ~/.fedora-server-ca.cert
> [koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
Sorry, that should have been kinit, not klist. You'll probably need to
run it as root. Also, make sure /etc/krb5.keytab is readable by the
apache user.
Also, I don't think your patch to __init__.py:_serverPrincipal() is
correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
> Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET").
> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
> -c specifies credentials cache
> -k specifies keytab
> (Default is credentials cache)
> -e shows the encryption type
> -V shows the Kerberos version and exits
> options for credential caches:
> -d shows the submitted authorization data types
> -f shows credentials flags
> -s sets exit status based on valid tgt existence
> -a displays the address list
> -n do not reverse-resolve
> options for keytabs:
> -t shows keytab entry timestamps
> -K shows keytab entry DES keys
> [koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> klist: Permission denied while starting keytab scan
> [koji at bpbuild001 ~]$ logout
> [root at bpbuild001 ~]# klist -kt /etc/krb5.keytab
> Keytab name: WRFILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
> [root at bpbuild001 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: swebb at AUTH.BEATPORTCORP.NET
>
> Valid starting Expires Service principal
> 01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>
> - Steve
>
> On Mon, 3 Jan 2011, Mike Bonnet wrote:
>
>> On 12/29/2010 11:06 AM, steve.webb at beatport.com wrote:
>>> Still stuck here. Anyone around during the holidays that can help?
>>
>> Could you post the /etc/koji.conf from the client machine (the machine
>> where you're running "koji add-user kojira")?
>>
>> Also, try running:
>>
>> klist -kt /etc/krb5.keytab \
>> host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>
>> and then klist, and post the output of both commands.
>>
>>> - Steve
>>>
>>> On Fri, 17 Dec 2010, steve.webb at beatport.com wrote:
>>>
>>>> Ok, all changed, still no-go:
>>>>
>>>> [root at bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>>> ## If ServerOffline is True, the server will always report a ServerOffline fault (with
>>>> ## OfflineMessage as the fault string).
>>>> ## If LockOut is True, the server will report a ServerOffline fault for all non-admin
>>>> ## requests.
>>>>
>>>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> AuthKeytab = /etc/krb5.keytab
>>>> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> HostPrincipalFormat = compile/%s at AUTH.BEATPORTCORP.NET
>>>>
>>>> [root at bpbuild001 ~]# klist -k /etc/krb5.keytab
>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ---- --------------------------------------------------------------------------
>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> [root at bpbuild001 ~]# klist
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>>
>>>> Valid starting Expires Service principal
>>>> 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>>> [root at bpbuild001 ~]# su - koji
>>>> [koji at bpbuild001 ~]$ psql
>>>> psql (8.4.5)
>>>> Type "help" for help.
>>>>
>>>> koji=> select * from users;
>>>> id | name | password | status | usertype | krb_principal
>>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>>> 2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
>>>> 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>> (2 rows)
>>>>
>>>> koji=> \q
>>>> [koji at bpbuild001 ~]$ logout
>>>> [root at bpbuild001 ~]# koji add-user kojira
>>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>>>
>>>> Q: The error now says "Server not found" - should the principal in psql be
>>>> host/... ??
>>>>
>>>> - Steve
>>>
>>
>> --
>> buildsys mailing list
>> buildsys at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>
>
More information about the buildsys
mailing list