koji using krb - having problems
steve.webb at beatport.com
steve.webb at beatport.com
Wed Jan 5 19:03:06 UTC 2011
> Sorry, that should have been kinit, not klist. You'll probably need to
> run it as root. Also, make sure /etc/krb5.keytab is readable by the
> apache user.
[root at bpbuild001 ~]# kinit -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
kinit: Password incorrect while getting initial credentials
[root at bpbuild001 ~]# chmod 644 /etc/krb5.keytab
[root at bpbuild001 ~]# ls -la /etc/krb5.keytab
-rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab
Ok, now my serverPrincipal() is:
def _serverPrincipal(self):
"""Get the Kerberos principal of the server we're connecting
to, based on baseurl. Assume the last two components of the
server name are the Kerberos realm."""
servername = urlparse.urlparse(self.baseurl)[1]
portspec = servername.find(':')
if portspec != -1:
servername = servername[:portspec]
parts = servername.split('.')
if len(parts) < 3:
domain = servername.upper()
else:
domain = '.'.join(parts[-3:]).upper()
domain = 'AUTH.BEATPORTCORP.NET'
return 'host/%s@%s' % (servername, domain)
New error:
[root at bpbuild001 ~]# su - koji
[koji at bpbuild001 ~]$ koji add-user kojira
ServerOffline: database outage
[koji at bpbuild001 ~]$ ps auxw | grep post
postgres 1520 0.0 0.0 203000 5784 ? S 10:13 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres 1522 0.0 0.0 174412 1144 ? Ss 10:13 0:00 postgres: logger process
postgres 1524 0.0 0.0 203000 1452 ? Ss 10:13 0:00 postgres: writer process
postgres 1525 0.0 0.0 203000 1448 ? Ss 10:13 0:00 postgres: wal writer process
postgres 1526 0.0 0.0 203268 1844 ? Ss 10:13 0:00 postgres: autovacuum launcher process
postgres 1527 0.0 0.0 174544 1556 ? Ss 10:13 0:00 postgres: stats collector process
koji 1910 0.0 0.0 103416 888 pts/0 S+ 12:02 0:00 grep --color=auto post
[koji at bpbuild001 ~]$
- Steve
>
> Also, I don't think your patch to __init__.py:_serverPrincipal() is
> correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
>
>> Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET").
>> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
>> -c specifies credentials cache
>> -k specifies keytab
>> (Default is credentials cache)
>> -e shows the encryption type
>> -V shows the Kerberos version and exits
>> options for credential caches:
>> -d shows the submitted authorization data types
>> -f shows credentials flags
>> -s sets exit status based on valid tgt existence
>> -a displays the address list
>> -n do not reverse-resolve
>> options for keytabs:
>> -t shows keytab entry timestamps
>> -K shows keytab entry DES keys
>> [koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> klist: Permission denied while starting keytab scan
>> [koji at bpbuild001 ~]$ logout
>> [root at bpbuild001 ~]# klist -kt /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Timestamp Principal
>> ---- ----------------- --------------------------------------------------------
>> 1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>> 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>> 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>> 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>> [root at bpbuild001 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>
>> Valid starting Expires Service principal
>> 01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>
>> - Steve
>>
>> On Mon, 3 Jan 2011, Mike Bonnet wrote:
>>
>>> On 12/29/2010 11:06 AM, steve.webb at beatport.com wrote:
>>>> Still stuck here. Anyone around during the holidays that can help?
>>>
>>> Could you post the /etc/koji.conf from the client machine (the machine
>>> where you're running "koji add-user kojira")?
>>>
>>> Also, try running:
>>>
>>> klist -kt /etc/krb5.keytab \
>>> host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>
>>> and then klist, and post the output of both commands.
>>>
>>>> - Steve
>>>>
>>>> On Fri, 17 Dec 2010, steve.webb at beatport.com wrote:
>>>>
>>>>> Ok, all changed, still no-go:
>>>>>
>>>>> [root at bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>>>> ## If ServerOffline is True, the server will always report a ServerOffline fault (with
>>>>> ## OfflineMessage as the fault string).
>>>>> ## If LockOut is True, the server will report a ServerOffline fault for all non-admin
>>>>> ## requests.
>>>>>
>>>>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> AuthKeytab = /etc/krb5.keytab
>>>>> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> HostPrincipalFormat = compile/%s at AUTH.BEATPORTCORP.NET
>>>>>
>>>>> [root at bpbuild001 ~]# klist -k /etc/krb5.keytab
>>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ---- --------------------------------------------------------------------------
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> [root at bpbuild001 ~]# klist
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>>>> [root at bpbuild001 ~]# su - koji
>>>>> [koji at bpbuild001 ~]$ psql
>>>>> psql (8.4.5)
>>>>> Type "help" for help.
>>>>>
>>>>> koji=> select * from users;
>>>>> id | name | password | status | usertype | krb_principal
>>>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>>>> 2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
>>>>> 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> (2 rows)
>>>>>
>>>>> koji=> \q
>>>>> [koji at bpbuild001 ~]$ logout
>>>>> [root at bpbuild001 ~]# koji add-user kojira
>>>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>>>>
>>>>> Q: The error now says "Server not found" - should the principal in psql be
>>>>> host/... ??
>>>>>
>>>>> - Steve
>>>>
>>>
>>> --
>>> buildsys mailing list
>>> buildsys at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>>
>>
>
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
--
Steve Webb | System Administrator
Beatport | Play With Music
------------------------------------------
2399 Blake Street, Suite 170
Denver, Colorado USA 80205
tel: +1.720.932.9103
fax: +1.720.932.9104
noc: +1.303.565.2710
mobile: +1.303.564.4269
More information about the buildsys
mailing list