koji using krb - having problems

steve.webb at beatport.com steve.webb at beatport.com
Wed Jan 5 19:03:06 UTC 2011 

> Sorry, that should have been kinit, not klist.  You'll probably need to
> run it as root.  Also, make sure /etc/krb5.keytab is readable by the
> apache user.

[root at bpbuild001 ~]# kinit -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
kinit: Password incorrect while getting initial credentials
[root at bpbuild001 ~]# chmod 644 /etc/krb5.keytab
[root at bpbuild001 ~]# ls -la /etc/krb5.keytab
-rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab

Ok, now my serverPrincipal() is:

     def _serverPrincipal(self):
         """Get the Kerberos principal of the server we're connecting
         to, based on baseurl.  Assume the last two components of the
         server name are the Kerberos realm."""
         servername = urlparse.urlparse(self.baseurl)[1]
         portspec = servername.find(':')
         if portspec != -1:
             servername = servername[:portspec]

         parts = servername.split('.')
         if len(parts) < 3:
             domain = servername.upper()
         else:
             domain = '.'.join(parts[-3:]).upper()

         domain = 'AUTH.BEATPORTCORP.NET'

         return 'host/%s@%s' % (servername, domain)


New error:

[root at bpbuild001 ~]# su - koji
[koji at bpbuild001 ~]$ koji add-user kojira
ServerOffline: database outage
[koji at bpbuild001 ~]$ ps auxw | grep post
postgres  1520  0.0  0.0 203000  5784 ?        S    10:13   0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
postgres  1522  0.0  0.0 174412  1144 ?        Ss   10:13   0:00 postgres: logger process 
postgres  1524  0.0  0.0 203000  1452 ?        Ss   10:13   0:00 postgres: writer process 
postgres  1525  0.0  0.0 203000  1448 ?        Ss   10:13   0:00 postgres: wal writer process 
postgres  1526  0.0  0.0 203268  1844 ?        Ss   10:13   0:00 postgres: autovacuum launcher process 
postgres  1527  0.0  0.0 174544  1556 ?        Ss   10:13   0:00 postgres: stats collector process 
koji      1910  0.0  0.0 103416   888 pts/0    S+   12:02   0:00 grep --color=auto post
[koji at bpbuild001 ~]$

- Steve

>
> Also, I don't think your patch to __init__.py:_serverPrincipal() is
> correct.  Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
>
>> Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET").
>> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
>>          -c specifies credentials cache
>>          -k specifies keytab
>>             (Default is credentials cache)
>>          -e shows the encryption type
>>          -V shows the Kerberos version and exits
>>          options for credential caches:
>>                  -d shows the submitted authorization data types
>>                  -f shows credentials flags
>>                  -s sets exit status based on valid tgt existence
>>                  -a displays the address list
>>                          -n do not reverse-resolve
>>          options for keytabs:
>>                  -t shows keytab entry timestamps
>>                  -K shows keytab entry DES keys
>> [koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> klist: Permission denied while starting keytab scan
>> [koji at bpbuild001 ~]$ logout
>> [root at bpbuild001 ~]# klist -kt /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Timestamp         Principal
>> ---- ----------------- --------------------------------------------------------
>>     1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>     1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>     1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>     1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>> [root at bpbuild001 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>
>> Valid starting     Expires            Service principal
>> 01/05/11 09:49:04  01/05/11 21:48:17  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>
>> - Steve
>>
>> On Mon, 3 Jan 2011, Mike Bonnet wrote:
>>
>>> On 12/29/2010 11:06 AM, steve.webb at beatport.com wrote:
>>>> Still stuck here.  Anyone around during the holidays that can help?
>>>
>>> Could you post the /etc/koji.conf from the client machine (the machine
>>> where you're running "koji add-user kojira")?
>>>
>>> Also, try running:
>>>
>>> klist -kt /etc/krb5.keytab \
>>>  host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>
>>> and then klist, and post the output of both commands.
>>>
>>>> - Steve
>>>>
>>>> On Fri, 17 Dec 2010, steve.webb at beatport.com wrote:
>>>>
>>>>> Ok, all changed, still no-go:
>>>>>
>>>>> [root at bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>>>> ## If ServerOffline is True, the server will always report a ServerOffline fault (with
>>>>> ## OfflineMessage as the fault string).
>>>>> ## If LockOut is True, the server will report a ServerOffline fault for all non-admin
>>>>> ## requests.
>>>>>
>>>>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> AuthKeytab = /etc/krb5.keytab
>>>>> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> HostPrincipalFormat = compile/%s at AUTH.BEATPORTCORP.NET
>>>>>
>>>>> [root at bpbuild001 ~]# klist -k /etc/krb5.keytab
>>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ---- --------------------------------------------------------------------------
>>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> [root at bpbuild001 ~]# klist
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>>>
>>>>> Valid starting     Expires            Service principal
>>>>> 12/17/10 15:36:29  12/18/10 03:30:18  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>>>> [root at bpbuild001 ~]# su - koji
>>>>> [koji at bpbuild001 ~]$ psql
>>>>> psql (8.4.5)
>>>>> Type "help" for help.
>>>>>
>>>>> koji=> select * from users;
>>>>>  id | name  | password | status | usertype |                         krb_principal
>>>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>>>>   2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
>>>>>   1 | koji  |          |      0 |        0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>>> (2 rows)
>>>>>
>>>>> koji=> \q
>>>>> [koji at bpbuild001 ~]$ logout
>>>>> [root at bpbuild001 ~]# koji add-user kojira
>>>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>>>>
>>>>> Q: The error now says "Server not found" - should the principal in psql be
>>>>> host/...  ??
>>>>>
>>>>> - Steve
>>>>
>>>
>>> --
>>> buildsys mailing list
>>> buildsys at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>>
>>
>
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>

-- 
Steve Webb | System Administrator
Beatport | Play With Music
------------------------------------------
2399 Blake Street, Suite 170
Denver, Colorado USA 80205
tel: +1.720.932.9103
fax: +1.720.932.9104
noc: +1.303.565.2710
mobile: +1.303.564.4269

More information about the buildsys mailing list