Hello there.
I'm having some problems running koji using kerberos authentication.
I've verified that I have standard kerberos authentication from the machine. I've followed the http://fedoraproject.org/wiki/Koji/ServerHowTo howto document and I'm up to the point where I'm trying to use the koji cli to create a user and I'm getting:
The end of my koji-hub/hub.conf file looks like this:
AuthPrincipal host/bpbuild001.co0.nar.beatportcorp.net AuthKeytab /etc/koji.keytab ProxyPrincipals koji/bpbuild001.co0.nar.beatportcorp.net HostPrincipalFormat compile/bpbuild001.co0.nar.beatportcorp.net
[root@bpbuild001 etc]# koji --authtype=kerberos add-user kojira Kerberos authentication failed: No credentials cache found (-1765328189) [root@bpbuild001 etc]# koji add-user kojira Unable to log in, no authentication methods available
The document doesn't have any methods to verify/debug that I've gotten the krb configs correct.. Is there a way to debug that I've done the krb configs properly?
- Steve Webb
On 12/16/2010 06:14 PM, steve.webb@beatport.com wrote:
[root@bpbuild001 etc]# koji add-user kojira Unable to log in, no authentication methods available
The document doesn't have any methods to verify/debug that I've gotten the krb configs correct.. Is there a way to debug that I've done the krb configs properly?
You are doing this under the root account. I'm guessing that your root user might not be the koji administrative user you added during setup and that you don't have kerberos credentials as that administrative user.
If the koji admin user you created had a username of 'steve' and kerberos principal of steve@EXAMPLE.COM, then if you are logged in as 'steve' and have done a kinit steve@EXAMPLE.COM, you should then be able to perform the tasks.
-A
Ok.
I got a krb ticket, gave myself a admin privs, then tried to add a user as myself and I'm still getting "authentication failed".
koji=> insert into users (name, krb_principal, status, usertype) values ('swebb', 'swebb@AUTH.BEATPORTCORP.NET', 0, 0); INSERT 0 1 koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+------------------------------------------ 1 | koji | | 0 | 0 | koji@bpbuild001.co0.nar.beatportcorp.net 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET (2 rows)
koji=> insert into user_perms (user_id, perm_id, creator_id) values (2, 1, 2); INSERT 0 1 koji=> select * from user_perms; user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active ---------+---------+--------------+--------------+------------+------------+-------- 1 | 1 | 1 | | 1 | | t 2 | 1 | 2 | | 2 | | t (2 rows)
[root@bpbuild001 etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 etc]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Is there still something missing?
- Steve Webb
On Thu, 16 Dec 2010, Anthony Messina wrote:
On 12/16/2010 06:14 PM, steve.webb@beatport.com wrote:
[root@bpbuild001 etc]# koji add-user kojira Unable to log in, no authentication methods available
The document doesn't have any methods to verify/debug that I've gotten the krb configs correct.. Is there a way to debug that I've done the krb configs properly?
You are doing this under the root account. I'm guessing that your root user might not be the koji administrative user you added during setup and that you don't have kerberos credentials as that administrative user.
If the koji admin user you created had a username of 'steve' and kerberos principal of steve@EXAMPLE.COM, then if you are logged in as 'steve' and have done a kinit steve@EXAMPLE.COM, you should then be able to perform the tasks.
-A
On 12/17/2010 11:44 AM, steve.webb@beatport.com wrote:
Ok.
I got a krb ticket, gave myself a admin privs, then tried to add a user as myself and I'm still getting "authentication failed".
koji=> insert into users (name, krb_principal, status, usertype) values ('swebb', 'swebb@AUTH.BEATPORTCORP.NET', 0, 0); INSERT 0 1 koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+------------------------------------------ 1 | koji | | 0 | 0 | koji@bpbuild001.co0.nar.beatportcorp.net 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET (2 rows)
koji=> insert into user_perms (user_id, perm_id, creator_id) values (2, 1, 2); INSERT 0 1 koji=> select * from user_perms; user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active ---------+---------+--------------+--------------+------------+------------+-------- 1 | 1 | 1 | | 1 | | t 2 | 1 | 2 | | 2 | | t (2 rows)
[root@bpbuild001 etc]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 etc]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Is there still something missing?
The koji cli expects the service principal of the hub to be host/<server name>@<last 2 tokens of the server name>. So in your case it is trying to lookup a service principal in the BEATPORTCORP.NET domain, rather than AUTH.BEATPORTCORP.NET. Koji should probably be determining the domain from the client principal, rather than the DNS name. In the meantime, you could patch __init__.py:_serverPrincipal() to return the correct value.
- Steve Webb
On Thu, 16 Dec 2010, Anthony Messina wrote:
On 12/16/2010 06:14 PM, steve.webb@beatport.com wrote:
[root@bpbuild001 etc]# koji add-user kojira Unable to log in, no authentication methods available
The document doesn't have any methods to verify/debug that I've gotten the krb configs correct.. Is there a way to debug that I've done the krb configs properly?
You are doing this under the root account. I'm guessing that your root user might not be the koji administrative user you added during setup and that you don't have kerberos credentials as that administrative user.
If the koji admin user you created had a username of 'steve' and kerberos principal of steve@EXAMPLE.COM, then if you are logged in as 'steve' and have done a kinit steve@EXAMPLE.COM, you should then be able to perform the tasks.
-A
The koji cli expects the service principal of the hub to be host/<server name>@<last 2 tokens of the server name>. So in your case it is trying to lookup a service principal in the BEATPORTCORP.NET domain, rather than AUTH.BEATPORTCORP.NET. Koji should probably be determining the domain from the client principal, rather than the DNS name. In the meantime, you could patch __init__.py:_serverPrincipal() to return the correct value.
I just changed it to accept 3 parts to the server name by changing the 2s to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec]
parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper()
return 'host/%s@%s' % (servername, domain)
Still getting authentication failure:
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
On 12/17/2010 12:35 PM, steve.webb@beatport.com wrote:
The koji cli expects the service principal of the hub to be host/<server name>@<last 2 tokens of the server name>. So in your case it is trying to lookup a service principal in the BEATPORTCORP.NET domain, rather than AUTH.BEATPORTCORP.NET. Koji should probably be determining the domain from the client principal, rather than the DNS name. In the meantime, you could patch __init__.py:_serverPrincipal() to return the correct value.
I just changed it to accept 3 parts to the server name by changing the 2s to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec] parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper() return 'host/%s@%s' % (servername, domain)
Still getting authentication failure:
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and AuthKeytab should be pointing at a keytab for that principal.
Yes, this could be a lot more flexible.
Ok, I'm still not getting access to krb, but I feel that I'm getting close. (Thanks for all of your help already, BTW)
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 14:27:51 12/18/10 02:27:09 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from user_perms; user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active ---------+---------+--------------+--------------+------------+------------+-------- 1 | 1 | 1 | | 1 | | t 2 | 1 | 2 | | 2 | | t (2 rows)
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+------------------------------------------ 1 | koji | | 0 | 0 | koji@bpbuild001.co0.nar.beatportcorp.net 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET (2 rows)
koji=> [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Decrypt integrity check failed (-1765328353) [root@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira Kerberos authentication failed: Decrypt integrity check failed (-1765328353) [root@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Key table entry not found (-1765328203) [root@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira Kerberos authentication failed: Key table entry not found (-1765328203)
My keytabs that I've been trying:
/etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net /etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
I've tried many combinations but none of them seem to be working. The most common errors are (in order of # of occurrences):
Kerberos authentication failed: Server not found in Kerberos database (-1765328377) Kerberos authentication failed: Decrypt integrity check failed (-1765328353) Kerberos authentication failed: Key table entry not found (-1765328203)
I'm very good with kerberos, but I'm hoping that this may help us get close to getting kerberos working.
Is there a way to turn on logging for the kerberos authentication stuff somewhere? Using --debug doesn't seem to provide any additional information.
My /etc/koji-hub/hub.conf now:
[snip] AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net [snip]
Thanks again.
- Steve
On Fri, 17 Dec 2010, Mike Bonnet wrote:
On 12/17/2010 12:35 PM, steve.webb@beatport.com wrote:
The koji cli expects the service principal of the hub to be host/<server name>@<last 2 tokens of the server name>. So in your case it is trying to lookup a service principal in the BEATPORTCORP.NET domain, rather than AUTH.BEATPORTCORP.NET. Koji should probably be determining the domain from the client principal, rather than the DNS name. In the meantime, you could patch __init__.py:_serverPrincipal() to return the correct value.
I just changed it to accept 3 parts to the server name by changing the 2s to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec] parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper() return 'host/%s@%s' % (servername, domain)
Still getting authentication failure:
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and AuthKeytab should be pointing at a keytab for that principal.
Yes, this could be a lot more flexible.
buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
My keytabs that I've been trying:
/etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net /etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
Actually, all of my keytabs look very similar:
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist -k /etc/koji.keytab Keytab name: WRFILE:/etc/koji.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist -k /etc/koji2.keytab Keytab name: WRFILE:/etc/koji2.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 2 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 2 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 2 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]#
- Steve
There are 2 principals we're talking about here, the server principal (host/...) and your client principal swebb@...
When using "koji --authtype=kerberos" it will automatically use your client principal, assuming you have kinit'ed successfully. You should never be passing --principal or --keytab to the koji cli under normal usage.
On 12/17/2010 04:51 PM, steve.webb@beatport.com wrote:
Ok, I'm still not getting access to krb, but I feel that I'm getting close. (Thanks for all of your help already, BTW)
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 14:27:51 12/18/10 02:27:09 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from user_perms; user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active ---------+---------+--------------+--------------+------------+------------+-------- 1 | 1 | 1 | | 1 | | t 2 | 1 | 2 | | 2 | | t (2 rows)
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+------------------------------------------ 1 | koji | | 0 | 0 | koji@bpbuild001.co0.nar.beatportcorp.net
That is not a valid krb_principal, it should be:
koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET (2 rows)
koji=> [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Decrypt integrity check failed (-1765328353) [root@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira Kerberos authentication failed: Decrypt integrity check failed (-1765328353) [root@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [root@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Key table entry not found (-1765328203) [root@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET --authtype=kerberos add-user kojira Kerberos authentication failed: Key table entry not found (-1765328203)
My keytabs that I've been trying:
/etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net /etc/koji2.keytab: host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
This is the keytab that you should be referencing in AuthKeytab in /etc/koji-hub/hub.conf.
I've tried many combinations but none of them seem to be working. The most common errors are (in order of # of occurrences):
Kerberos authentication failed: Server not found in Kerberos database (-1765328377) Kerberos authentication failed: Decrypt integrity check failed (-1765328353) Kerberos authentication failed: Key table entry not found (-1765328203)
I'm very good with kerberos, but I'm hoping that this may help us get close to getting kerberos working.
Is there a way to turn on logging for the kerberos authentication stuff somewhere? Using --debug doesn't seem to provide any additional information.
My /etc/koji-hub/hub.conf now:
[snip] AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net
You need to append @AUTH.BEATPORTCORP.NET to this.
AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net
Same here.
HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net
Same here. Also, you need to leave the %s, it'll be substituted for the hostname of each different builder.
[snip]
Thanks again.
- Steve
On Fri, 17 Dec 2010, Mike Bonnet wrote:
On 12/17/2010 12:35 PM, steve.webb@beatport.com wrote:
The koji cli expects the service principal of the hub to be host/<server name>@<last 2 tokens of the server name>. So in your case it is trying to lookup a service principal in the BEATPORTCORP.NET domain, rather than AUTH.BEATPORTCORP.NET. Koji should probably be determining the domain from the client principal, rather than the DNS name. In the meantime, you could patch __init__.py:_serverPrincipal() to return the correct value.
I just changed it to accept 3 parts to the server name by changing the 2s to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py
def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec] parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper() return 'host/%s@%s' % (servername, domain)
Still getting authentication failure:
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 09:39:56 12/17/10 21:37:58 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have:
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and AuthKeytab should be pointing at a keytab for that principal.
Yes, this could be a lot more flexible.
buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
Still stuck here. Anyone around during the holidays that can help?
- Steve
On Fri, 17 Dec 2010, steve.webb@beatport.com wrote:
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal
1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
On 12/29/2010 11:06 AM, steve.webb@beatport.com wrote:
Still stuck here. Anyone around during the holidays that can help?
Could you post the /etc/koji.conf from the client machine (the machine where you're running "koji add-user kojira")?
Also, try running:
klist -kt /etc/krb5.keytab \ host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and then klist, and post the output of both commands.
- Steve
On Fri, 17 Dec 2010, steve.webb@beatport.com wrote:
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal
1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
[koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ koji add-user kojira Kerberos authentication failed: Matching credential not found (-1765328243) [koji@bpbuild001 ~]$ kinit swebb Password for swebb@AUTH.BEATPORTCORP.NET: [koji@bpbuild001 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 01/05/11 10:15:13 01/05/11 22:14:30 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [koji@bpbuild001 ~]$ cat /etc/koji.conf [koji]
;configuration for koji cli tool
;url of XMLRPC server server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub
;url of web interface weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji
;url of package download site pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages
;path to the koji top directory topdir = /mnt/koji
;configuration for SSL authentication
;client certificate cert = ~/.fedora.cert
;certificate of the CA that issued the client certificate ca = ~/.fedora-server-ca.cert
;certificate of the CA that issued the HTTP server certificate serverca = ~/.fedora-server-ca.cert [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET"). Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -c specifies credentials cache -k specifies keytab (Default is credentials cache) -e shows the encryption type -V shows the Kerberos version and exits options for credential caches: -d shows the submitted authorization data types -f shows credentials flags -s sets exit status based on valid tgt existence -a displays the address list -n do not reverse-resolve options for keytabs: -t shows keytab entry timestamps -K shows keytab entry DES keys [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab klist: Permission denied while starting keytab scan [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
- Steve
On Mon, 3 Jan 2011, Mike Bonnet wrote:
On 12/29/2010 11:06 AM, steve.webb@beatport.com wrote:
Still stuck here. Anyone around during the holidays that can help?
Could you post the /etc/koji.conf from the client machine (the machine where you're running "koji add-user kojira")?
Also, try running:
klist -kt /etc/krb5.keytab \ host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and then klist, and post the output of both commands.
- Steve
On Fri, 17 Dec 2010, steve.webb@beatport.com wrote:
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal
1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
On 01/05/2011 12:19 PM, steve.webb@beatport.com wrote:
[koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ koji add-user kojira Kerberos authentication failed: Matching credential not found (-1765328243) [koji@bpbuild001 ~]$ kinit swebb Password for swebb@AUTH.BEATPORTCORP.NET: [koji@bpbuild001 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 01/05/11 10:15:13 01/05/11 22:14:30 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [koji@bpbuild001 ~]$ cat /etc/koji.conf [koji]
;configuration for koji cli tool
;url of XMLRPC server server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub
;url of web interface weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji
;url of package download site pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages
;path to the koji top directory topdir = /mnt/koji
;configuration for SSL authentication
;client certificate cert = ~/.fedora.cert
;certificate of the CA that issued the client certificate ca = ~/.fedora-server-ca.cert
;certificate of the CA that issued the HTTP server certificate serverca = ~/.fedora-server-ca.cert [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
Sorry, that should have been kinit, not klist. You'll probably need to run it as root. Also, make sure /etc/krb5.keytab is readable by the apache user.
Also, I don't think your patch to __init__.py:_serverPrincipal() is correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET"). Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -c specifies credentials cache -k specifies keytab (Default is credentials cache) -e shows the encryption type -V shows the Kerberos version and exits options for credential caches: -d shows the submitted authorization data types -f shows credentials flags -s sets exit status based on valid tgt existence -a displays the address list -n do not reverse-resolve options for keytabs: -t shows keytab entry timestamps -K shows keytab entry DES keys [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab klist: Permission denied while starting keytab scan [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal
1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
- Steve
On Mon, 3 Jan 2011, Mike Bonnet wrote:
On 12/29/2010 11:06 AM, steve.webb@beatport.com wrote:
Still stuck here. Anyone around during the holidays that can help?
Could you post the /etc/koji.conf from the client machine (the machine where you're running "koji add-user kojira")?
Also, try running:
klist -kt /etc/krb5.keytab \ host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and then klist, and post the output of both commands.
- Steve
On Fri, 17 Dec 2010, steve.webb@beatport.com wrote:
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal
1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
Sorry, that should have been kinit, not klist. You'll probably need to run it as root. Also, make sure /etc/krb5.keytab is readable by the apache user.
[root@bpbuild001 ~]# kinit -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET kinit: Password incorrect while getting initial credentials [root@bpbuild001 ~]# chmod 644 /etc/krb5.keytab [root@bpbuild001 ~]# ls -la /etc/krb5.keytab -rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab
Ok, now my serverPrincipal() is:
def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec]
parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper()
domain = 'AUTH.BEATPORTCORP.NET'
return 'host/%s@%s' % (servername, domain)
New error:
[root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ koji add-user kojira ServerOffline: database outage [koji@bpbuild001 ~]$ ps auxw | grep post postgres 1520 0.0 0.0 203000 5784 ? S 10:13 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data postgres 1522 0.0 0.0 174412 1144 ? Ss 10:13 0:00 postgres: logger process postgres 1524 0.0 0.0 203000 1452 ? Ss 10:13 0:00 postgres: writer process postgres 1525 0.0 0.0 203000 1448 ? Ss 10:13 0:00 postgres: wal writer process postgres 1526 0.0 0.0 203268 1844 ? Ss 10:13 0:00 postgres: autovacuum launcher process postgres 1527 0.0 0.0 174544 1556 ? Ss 10:13 0:00 postgres: stats collector process koji 1910 0.0 0.0 103416 888 pts/0 S+ 12:02 0:00 grep --color=auto post [koji@bpbuild001 ~]$
- Steve
Also, I don't think your patch to __init__.py:_serverPrincipal() is correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET"). Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -c specifies credentials cache -k specifies keytab (Default is credentials cache) -e shows the encryption type -V shows the Kerberos version and exits options for credential caches: -d shows the submitted authorization data types -f shows credentials flags -s sets exit status based on valid tgt existence -a displays the address list -n do not reverse-resolve options for keytabs: -t shows keytab entry timestamps -K shows keytab entry DES keys [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab klist: Permission denied while starting keytab scan [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal
1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
- Steve
On Mon, 3 Jan 2011, Mike Bonnet wrote:
On 12/29/2010 11:06 AM, steve.webb@beatport.com wrote:
Still stuck here. Anyone around during the holidays that can help?
Could you post the /etc/koji.conf from the client machine (the machine where you're running "koji add-user kojira")?
Also, try running:
klist -kt /etc/krb5.keytab \ host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and then klist, and post the output of both commands.
- Steve
On Fri, 17 Dec 2010, steve.webb@beatport.com wrote:
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal
1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
On 01/05/2011 02:03 PM, steve.webb@beatport.com wrote:
Sorry, that should have been kinit, not klist. You'll probably need to run it as root. Also, make sure /etc/krb5.keytab is readable by the apache user.
[root@bpbuild001 ~]# kinit -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET kinit: Password incorrect while getting initial credentials
This means that keytab is not valid. You should delete it and generate a new one for the same principal.
[root@bpbuild001 ~]# chmod 644 /etc/krb5.keytab [root@bpbuild001 ~]# ls -la /etc/krb5.keytab -rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab
Ok, now my serverPrincipal() is:
def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec] parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper() domain = 'AUTH.BEATPORTCORP.NET' return 'host/%s@%s' % (servername, domain)
New error:
[root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ koji add-user kojira ServerOffline: database outage
This is unrelated to Kerberos auth. Check that your database is functioning properly, and that the apache user can connect to it.
Lets take this off the mailing list. If you have further issues, please email me directly.
[koji@bpbuild001 ~]$ ps auxw | grep post postgres 1520 0.0 0.0 203000 5784 ? S 10:13 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data postgres 1522 0.0 0.0 174412 1144 ? Ss 10:13 0:00 postgres: logger process postgres 1524 0.0 0.0 203000 1452 ? Ss 10:13 0:00 postgres: writer process postgres 1525 0.0 0.0 203000 1448 ? Ss 10:13 0:00 postgres: wal writer process postgres 1526 0.0 0.0 203268 1844 ? Ss 10:13 0:00 postgres: autovacuum launcher process postgres 1527 0.0 0.0 174544 1556 ? Ss 10:13 0:00 postgres: stats collector process koji 1910 0.0 0.0 103416 888 pts/0 S+ 12:02 0:00 grep --color=auto post [koji@bpbuild001 ~]$
- Steve
Also, I don't think your patch to __init__.py:_serverPrincipal() is correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET"). Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] -c specifies credentials cache -k specifies keytab (Default is credentials cache) -e shows the encryption type -V shows the Kerberos version and exits options for credential caches: -d shows the submitted authorization data types -f shows credentials flags -s sets exit status based on valid tgt existence -a displays the address list -n do not reverse-resolve options for keytabs: -t shows keytab entry timestamps -K shows keytab entry DES keys [koji@bpbuild001 ~]$ klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab klist: Permission denied while starting keytab scan [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# klist -kt /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal
1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET
- Steve
On Mon, 3 Jan 2011, Mike Bonnet wrote:
On 12/29/2010 11:06 AM, steve.webb@beatport.com wrote:
Still stuck here. Anyone around during the holidays that can help?
Could you post the /etc/koji.conf from the client machine (the machine where you're running "koji add-user kojira")?
Also, try running:
klist -kt /etc/krb5.keytab \ host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET
and then klist, and post the output of both commands.
- Steve
On Fri, 17 Dec 2010, steve.webb@beatport.com wrote:
Ok, all changed, still no-go:
[root@bpbuild001 ~]# tail /etc/koji-hub/hub.conf ## If ServerOffline is True, the server will always report a ServerOffline fault (with ## OfflineMessage as the fault string). ## If LockOut is True, the server will report a ServerOffline fault for all non-admin ## requests.
AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET HostPrincipalFormat = compile/%s@AUTH.BEATPORTCORP.NET
[root@bpbuild001 ~]# klist -k /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal
1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET 1 host/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: swebb@AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET@AUTH.BEATPORTCORP.NET [root@bpbuild001 ~]# su - koji [koji@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help.
koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+---------------------------------------------------------------- 2 | swebb | | 0 | 0 | swebb@AUTH.BEATPORTCORP.NET 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net@AUTH.BEATPORTCORP.NET (2 rows)
koji=> \q [koji@bpbuild001 ~]$ logout [root@bpbuild001 ~]# koji add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
Q: The error now says "Server not found" - should the principal in psql be host/... ??
- Steve
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
buildsys@lists.fedoraproject.org