On 01/05/2011 02:03 PM, steve.webb(a)beatport.com wrote:
> Sorry, that should have been kinit, not klist. You'll
probably need to
> run it as root. Also, make sure /etc/krb5.keytab is readable by the
> apache user.
[root@bpbuild001 ~]# kinit -kt /etc/krb5.keytab
host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
kinit: Password incorrect while getting initial credentials
This means that keytab is not valid. You should delete it and generate
a new one for the same principal.
[root@bpbuild001 ~]# chmod 644 /etc/krb5.keytab
[root@bpbuild001 ~]# ls -la /etc/krb5.keytab
-rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab
Ok, now my serverPrincipal() is:
def _serverPrincipal(self):
"""Get the Kerberos principal of the server we're connecting
to, based on baseurl. Assume the last two components of the
server name are the Kerberos realm."""
servername = urlparse.urlparse(self.baseurl)[1]
portspec = servername.find(':')
if portspec != -1:
servername = servername[:portspec]
parts = servername.split('.')
if len(parts) < 3:
domain = servername.upper()
else:
domain = '.'.join(parts[-3:]).upper()
domain = 'AUTH.BEATPORTCORP.NET'
return 'host/%s@%s' % (servername, domain)
New error:
[root@bpbuild001 ~]# su - koji
[koji@bpbuild001 ~]$ koji add-user kojira
ServerOffline: database outage
This is unrelated to Kerberos auth. Check that your database is
functioning properly, and that the apache user can connect to it.
Lets take this off the mailing list. If you have further issues, please
email me directly.
[koji@bpbuild001 ~]$ ps auxw | grep post
postgres 1520 0.0 0.0 203000 5784 ? S 10:13 0:00 /usr/bin/postmaster -p
5432 -D /var/lib/pgsql/data
postgres 1522 0.0 0.0 174412 1144 ? Ss 10:13 0:00 postgres: logger process
postgres 1524 0.0 0.0 203000 1452 ? Ss 10:13 0:00 postgres: writer process
postgres 1525 0.0 0.0 203000 1448 ? Ss 10:13 0:00 postgres: wal writer
process
postgres 1526 0.0 0.0 203268 1844 ? Ss 10:13 0:00 postgres: autovacuum
launcher process
postgres 1527 0.0 0.0 174544 1556 ? Ss 10:13 0:00 postgres: stats
collector process
koji 1910 0.0 0.0 103416 888 pts/0 S+ 12:02 0:00 grep --color=auto post
[koji@bpbuild001 ~]$
- Steve
>
> Also, I don't think your patch to __init__.py:_serverPrincipal() is
> correct. Try hard-coding the domain to
AUTH.BEATPORTCORP.NET.
>
>> Extra arguments (starting with
"host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET").
>> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
>> -c specifies credentials cache
>> -k specifies keytab
>> (Default is credentials cache)
>> -e shows the encryption type
>> -V shows the Kerberos version and exits
>> options for credential caches:
>> -d shows the submitted authorization data types
>> -f shows credentials flags
>> -s sets exit status based on valid tgt existence
>> -a displays the address list
>> -n do not reverse-resolve
>> options for keytabs:
>> -t shows keytab entry timestamps
>> -K shows keytab entry DES keys
>> [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> klist: Permission denied while starting keytab scan
>> [koji@bpbuild001 ~]$ logout
>> [root@bpbuild001 ~]# klist -kt /etc/krb5.keytab
>> Keytab name: WRFILE:/etc/krb5.keytab
>> KVNO Timestamp Principal
>> ---- ----------------- --------------------------------------------------------
>> 1 12/15/10 10:49:18
host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>> 1 12/15/10 10:49:19
host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>> 1 12/15/10 10:49:19
host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>> 1 12/15/10 10:49:19
host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>> [root@bpbuild001 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: swebb(a)AUTH.BEATPORTCORP.NET
>>
>> Valid starting Expires Service principal
>> 01/05/11 09:49:04 01/05/11 21:48:17
krbtgt/AUTH.BEATPORTCORP.NET(a)AUTH.BEATPORTCORP.NET
>>
>> - Steve
>>
>> On Mon, 3 Jan 2011, Mike Bonnet wrote:
>>
>>> On 12/29/2010 11:06 AM, steve.webb(a)beatport.com wrote:
>>>> Still stuck here. Anyone around during the holidays that can help?
>>>
>>> Could you post the /etc/koji.conf from the client machine (the machine
>>> where you're running "koji add-user kojira")?
>>>
>>> Also, try running:
>>>
>>> klist -kt /etc/krb5.keytab \
>>> host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>
>>> and then klist, and post the output of both commands.
>>>
>>>> - Steve
>>>>
>>>> On Fri, 17 Dec 2010, steve.webb(a)beatport.com wrote:
>>>>
>>>>> Ok, all changed, still no-go:
>>>>>
>>>>> [root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>>>> ## If ServerOffline is True, the server will always report a
ServerOffline fault (with
>>>>> ## OfflineMessage as the fault string).
>>>>> ## If LockOut is True, the server will report a ServerOffline fault
for all non-admin
>>>>> ## requests.
>>>>>
>>>>> AuthPrincipal =
host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> AuthKeytab = /etc/krb5.keytab
>>>>> ProxyPrincipals =
koji/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> HostPrincipalFormat = compile/%s(a)AUTH.BEATPORTCORP.NET
>>>>>
>>>>> [root@bpbuild001 ~]# klist -k /etc/krb5.keytab
>>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
--------------------------------------------------------------------------
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> 1 host/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> [root@bpbuild001 ~]# klist
>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>> Default principal: swebb(a)AUTH.BEATPORTCORP.NET
>>>>>
>>>>> Valid starting Expires Service principal
>>>>> 12/17/10 15:36:29 12/18/10 03:30:18
krbtgt/AUTH.BEATPORTCORP.NET(a)AUTH.BEATPORTCORP.NET
>>>>> [root@bpbuild001 ~]# su - koji
>>>>> [koji@bpbuild001 ~]$ psql
>>>>> psql (8.4.5)
>>>>> Type "help" for help.
>>>>>
>>>>> koji=> select * from users;
>>>>> id | name | password | status | usertype |
krb_principal
>>>>>
----+-------+----------+--------+----------+----------------------------------------------------------------
>>>>> 2 | swebb | | 0 | 0 |
swebb(a)AUTH.BEATPORTCORP.NET
>>>>> 1 | koji | | 0 | 0 |
koji/bpbuild001.co0.nar.beatportcorp.net(a)AUTH.BEATPORTCORP.NET
>>>>> (2 rows)
>>>>>
>>>>> koji=> \q
>>>>> [koji@bpbuild001 ~]$ logout
>>>>> [root@bpbuild001 ~]# koji add-user kojira
>>>>> Kerberos authentication failed: Server not found in Kerberos database
(-1765328377)
>>>>>
>>>>> Q: The error now says "Server not found" - should the
principal in psql be
>>>>> host/... ??
>>>>>
>>>>> - Steve
>>>>
>>>
>>> --
>>> buildsys mailing list
>>> buildsys(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>>
>>
>
> --
> buildsys mailing list
> buildsys(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/buildsys
>