koji using krb - having problems
steve.webb at beatport.com
steve.webb at beatport.com
Wed Jan 5 17:19:16 UTC 2011
[koji at bpbuild001 ~]$ psql
psql (8.4.5)
Type "help" for help.
koji=> select * from users;
id | name | password | status | usertype | krb_principal
----+-------+----------+--------+----------+----------------------------------------------------------------
2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
(2 rows)
koji=> \q
[koji at bpbuild001 ~]$ koji add-user kojira
Kerberos authentication failed: Matching credential not found (-1765328243)
[koji at bpbuild001 ~]$ kinit swebb
Password for swebb at AUTH.BEATPORTCORP.NET:
[koji at bpbuild001 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: swebb at AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal
01/05/11 10:15:13 01/05/11 22:14:30 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
[koji at bpbuild001 ~]$ cat /etc/koji.conf
[koji]
;configuration for koji cli tool
;url of XMLRPC server
server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub
;url of web interface
weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji
;url of package download site
pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages
;path to the koji top directory
topdir = /mnt/koji
;configuration for SSL authentication
;client certificate
cert = ~/.fedora.cert
;certificate of the CA that issued the client certificate
ca = ~/.fedora-server-ca.cert
;certificate of the CA that issued the HTTP server certificate
serverca = ~/.fedora-server-ca.cert
[koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET").
Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
-c specifies credentials cache
-k specifies keytab
(Default is credentials cache)
-e shows the encryption type
-V shows the Kerberos version and exits
options for credential caches:
-d shows the submitted authorization data types
-f shows credentials flags
-s sets exit status based on valid tgt existence
-a displays the address list
-n do not reverse-resolve
options for keytabs:
-t shows keytab entry timestamps
-K shows keytab entry DES keys
[koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
klist: Permission denied while starting keytab scan
[koji at bpbuild001 ~]$ logout
[root at bpbuild001 ~]# klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
[root at bpbuild001 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: swebb at AUTH.BEATPORTCORP.NET
Valid starting Expires Service principal
01/05/11 09:49:04 01/05/11 21:48:17 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
- Steve
On Mon, 3 Jan 2011, Mike Bonnet wrote:
> On 12/29/2010 11:06 AM, steve.webb at beatport.com wrote:
>> Still stuck here. Anyone around during the holidays that can help?
>
> Could you post the /etc/koji.conf from the client machine (the machine
> where you're running "koji add-user kojira")?
>
> Also, try running:
>
> klist -kt /etc/krb5.keytab \
> host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>
> and then klist, and post the output of both commands.
>
>> - Steve
>>
>> On Fri, 17 Dec 2010, steve.webb at beatport.com wrote:
>>
>>> Ok, all changed, still no-go:
>>>
>>> [root at bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>> ## If ServerOffline is True, the server will always report a ServerOffline fault (with
>>> ## OfflineMessage as the fault string).
>>> ## If LockOut is True, the server will report a ServerOffline fault for all non-admin
>>> ## requests.
>>>
>>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> AuthKeytab = /etc/krb5.keytab
>>> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> HostPrincipalFormat = compile/%s at AUTH.BEATPORTCORP.NET
>>>
>>> [root at bpbuild001 ~]# klist -k /etc/krb5.keytab
>>> Keytab name: WRFILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ---- --------------------------------------------------------------------------
>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> 1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> [root at bpbuild001 ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>
>>> Valid starting Expires Service principal
>>> 12/17/10 15:36:29 12/18/10 03:30:18 krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>> [root at bpbuild001 ~]# su - koji
>>> [koji at bpbuild001 ~]$ psql
>>> psql (8.4.5)
>>> Type "help" for help.
>>>
>>> koji=> select * from users;
>>> id | name | password | status | usertype | krb_principal
>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>> 2 | swebb | | 0 | 0 | swebb at AUTH.BEATPORTCORP.NET
>>> 1 | koji | | 0 | 0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> (2 rows)
>>>
>>> koji=> \q
>>> [koji at bpbuild001 ~]$ logout
>>> [root at bpbuild001 ~]# koji add-user kojira
>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>>
>>> Q: The error now says "Server not found" - should the principal in psql be
>>> host/... ??
>>>
>>> - Steve
>>
>
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>
--
Steve Webb | System Administrator
Beatport | Play With Music
------------------------------------------
2399 Blake Street, Suite 170
Denver, Colorado USA 80205
tel: +1.720.932.9103
fax: +1.720.932.9104
noc: +1.303.565.2710
mobile: +1.303.564.4269
More information about the buildsys
mailing list