On 12/17/2010 11:44 AM, steve.webb(a)beatport.com wrote:
Ok.
I got a krb ticket, gave myself a admin privs, then tried to add a user as
myself and I'm still getting "authentication failed".
koji=> insert into users (name, krb_principal, status, usertype) values
('swebb', 'swebb(a)AUTH.BEATPORTCORP.NET', 0, 0);
INSERT 0 1
koji=> select * from users;
id | name | password | status | usertype | krb_principal
----+-------+----------+--------+----------+------------------------------------------
1 | koji | | 0 | 0 | koji(a)bpbuild001.co0.nar.beatportcorp.net
2 | swebb | | 0 | 0 | swebb(a)AUTH.BEATPORTCORP.NET
(2 rows)
koji=> insert into user_perms (user_id, perm_id, creator_id) values (2, 1, 2);
INSERT 0 1
koji=> select * from user_perms;
user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active
---------+---------+--------------+--------------+------------+------------+--------
1 | 1 | 1 | | 1 | | t
2 | 1 | 2 | | 2 | | t
(2 rows)
[root@bpbuild001 etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: swebb(a)AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal
12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET(a)AUTH.BEATPORTCORP.NET
[root@bpbuild001 etc]# koji add-user kojira
Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Is there still something missing?
The koji cli expects the service principal of the hub to be host/<server
name>@<last 2 tokens of the server name>. So in your case it is trying
to lookup a service principal in the
BEATPORTCORP.NET domain, rather
than
AUTH.BEATPORTCORP.NET. Koji should probably be determining the
domain from the client principal, rather than the DNS name. In the
meantime, you could patch __init__.py:_serverPrincipal() to return the
correct value.
- Steve Webb
On Thu, 16 Dec 2010, Anthony Messina wrote:
> On 12/16/2010 06:14 PM, steve.webb(a)beatport.com wrote:
>> [root@bpbuild001 etc]# koji add-user kojira
>> Unable to log in, no authentication methods available
>>
>> The document doesn't have any methods to verify/debug that I've gotten
the
>> krb configs correct.. Is there a way to debug that I've done the krb
>> configs properly?
>
> You are doing this under the root account. I'm guessing that your root
> user might not be the koji administrative user you added during setup
> and that you don't have kerberos credentials as that administrative user.
>
> If the koji admin user you created had a username of 'steve' and
> kerberos principal of steve(a)EXAMPLE.COM, then if you are logged in as
> 'steve' and have done a kinit steve(a)EXAMPLE.COM, you should then be able
> to perform the tasks.
>
> -A
>
>