He can get a valid ticket for steve@EXAMPLE.COM even if he logs in as root...
Steve, do you want us to take a look at your configs? And can you provide a step-by-step example of what you have done?
-of
Anthony Messina amessina@messinet.com schrieb:
On 12/16/2010 06:14 PM, steve.webb@beatport.com wrote:
[root@bpbuild001 etc]# koji add-user kojira Unable to log in, no authentication methods available
The document doesn't have any methods to verify/debug that I've gotten the krb configs correct.. Is there a way to debug that I've done the krb configs properly?
You are doing this under the root account. I'm guessing that your root user might not be the koji administrative user you added during setup and that you don't have kerberos credentials as that administrative user.
If the koji admin user you created had a username of 'steve' and kerberos principal of steve@EXAMPLE.COM, then if you are logged in as 'steve' and have done a kinit steve@EXAMPLE.COM, you should then be able to perform the tasks.
-A
-- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
Steve, do you want us to take a look at your configs? And can you provide a step-by-step example of what you have done?
Sure.
I went through the http://fedoraproject.org/wiki/Koji/ServerHowTo document and follow the kerberos installation instructions.
* I set up a DNS record as instructed (_kerberos._udp IN SRV 10 100 88 ...) * U added the principals into IPA but used: host/kojihub@bpbuild001.co0.beatportcorp.net not host/kojihub@AUTH.BEATPORCORP.NET (could this be an issue?)
All krb principals added to IPA for koji:
# ipa-addservice host/bpbuild001.co0.nar.beatportcorp.net # ipa-addservice HTTP/bpbuild001.co0.nar.beatportcorp.net # ipa-addservice koji/bpbuild001.co0.nar.beatportcorp.net # ipa-addservice compile/bpbuild001.co0.nar.beatportcorp.net
* I set up psql - seems to be working properly. * I can get a normal krb ticket as myself on the koji server just fine * I inserted the users into psql as instructed on the howto * Some config files:
/etc/koji-hub/hub.conf: [hub] DBName = koji DBUser = koji DBHost = bpbuild001.co0 KojiDir = /data/koji LoginCreatesUser = On KojiWebURL = http://bpbuild001.co0.nar.beatportcorp.net/koji NotifyOnSuccess = True AuthPrincipal host/bpbuild001.co0.nar.beatportcorp.net AuthKeytab /etc/koji.keytab ProxyPrincipals koji/bpbuild001.co0.nar.beatportcorp.net HostPrincipalFormat compile/bpbuild001.co0.nar.beatportcorp.net
Anything else you need from me to help debug?
- Steve Webb
On 12/17/2010 01:51 AM, Oliver Falk wrote:
He can get a valid ticket for steve@EXAMPLE.COM even if he logs in as root...
of course. it's just an easy thing to forget. glad you guys found the real solution.
buildsys@lists.fedoraproject.org