koji using krb - having problems

steve.webb at beatport.com steve.webb at beatport.com
Wed Jan 5 17:19:16 UTC 2011 

[koji at bpbuild001 ~]$ psql
psql (8.4.5)
Type "help" for help.

koji=> select * from users;
  id | name  | password | status | usertype |                         krb_principal 
----+-------+----------+--------+----------+----------------------------------------------------------------
   2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
   1 | koji  |          |      0 |        0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
(2 rows)

koji=> \q
[koji at bpbuild001 ~]$ koji add-user kojira
Kerberos authentication failed: Matching credential not found (-1765328243)
[koji at bpbuild001 ~]$ kinit swebb
Password for swebb at AUTH.BEATPORTCORP.NET: 
[koji at bpbuild001 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: swebb at AUTH.BEATPORTCORP.NET

Valid starting     Expires            Service principal
01/05/11 10:15:13  01/05/11 22:14:30  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
[koji at bpbuild001 ~]$ cat /etc/koji.conf
[koji]

;configuration for koji cli tool

;url of XMLRPC server
server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub

;url of web interface
weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji

;url of package download site
pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages

;path to the koji top directory
topdir = /mnt/koji

;configuration for SSL authentication

;client certificate
cert = ~/.fedora.cert

;certificate of the CA that issued the client certificate
ca = ~/.fedora-server-ca.cert

;certificate of the CA that issued the HTTP server certificate
serverca = ~/.fedora-server-ca.cert
[koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
Extra arguments (starting with "host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET").
Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
         -c specifies credentials cache
         -k specifies keytab
            (Default is credentials cache)
         -e shows the encryption type
         -V shows the Kerberos version and exits
         options for credential caches:
                 -d shows the submitted authorization data types
                 -f shows credentials flags
                 -s sets exit status based on valid tgt existence
                 -a displays the address list
                         -n do not reverse-resolve
         options for keytabs:
                 -t shows keytab entry timestamps
                 -K shows keytab entry DES keys
[koji at bpbuild001 ~]$ klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
klist: Permission denied while starting keytab scan
[koji at bpbuild001 ~]$ logout
[root at bpbuild001 ~]# klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
    1 12/15/10 10:49:18 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
    1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
    1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
    1 12/15/10 10:49:19 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
[root at bpbuild001 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: swebb at AUTH.BEATPORTCORP.NET

Valid starting     Expires            Service principal
01/05/11 09:49:04  01/05/11 21:48:17  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET

- Steve

On Mon, 3 Jan 2011, Mike Bonnet wrote:

> On 12/29/2010 11:06 AM, steve.webb at beatport.com wrote:
>> Still stuck here.  Anyone around during the holidays that can help?
>
> Could you post the /etc/koji.conf from the client machine (the machine
> where you're running "koji add-user kojira")?
>
> Also, try running:
>
> klist -kt /etc/krb5.keytab \
>  host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>
> and then klist, and post the output of both commands.
>
>> - Steve
>>
>> On Fri, 17 Dec 2010, steve.webb at beatport.com wrote:
>>
>>> Ok, all changed, still no-go:
>>>
>>> [root at bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>> ## If ServerOffline is True, the server will always report a ServerOffline fault (with
>>> ## OfflineMessage as the fault string).
>>> ## If LockOut is True, the server will report a ServerOffline fault for all non-admin
>>> ## requests.
>>>
>>> AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> AuthKeytab = /etc/krb5.keytab
>>> ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> HostPrincipalFormat = compile/%s at AUTH.BEATPORTCORP.NET
>>>
>>> [root at bpbuild001 ~]# klist -k /etc/krb5.keytab
>>> Keytab name: WRFILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ---- --------------------------------------------------------------------------
>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>>    1 host/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> [root at bpbuild001 ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: swebb at AUTH.BEATPORTCORP.NET
>>>
>>> Valid starting     Expires            Service principal
>>> 12/17/10 15:36:29  12/18/10 03:30:18  krbtgt/AUTH.BEATPORTCORP.NET at AUTH.BEATPORTCORP.NET
>>> [root at bpbuild001 ~]# su - koji
>>> [koji at bpbuild001 ~]$ psql
>>> psql (8.4.5)
>>> Type "help" for help.
>>>
>>> koji=> select * from users;
>>>  id | name  | password | status | usertype |                         krb_principal
>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>>   2 | swebb |          |      0 |        0 | swebb at AUTH.BEATPORTCORP.NET
>>>   1 | koji  |          |      0 |        0 | koji/bpbuild001.co0.nar.beatportcorp.net at AUTH.BEATPORTCORP.NET
>>> (2 rows)
>>>
>>> koji=> \q
>>> [koji at bpbuild001 ~]$ logout
>>> [root at bpbuild001 ~]# koji add-user kojira
>>> Kerberos authentication failed: Server not found in Kerberos database (-1765328377)
>>>
>>> Q: The error now says "Server not found" - should the principal in psql be
>>> host/...  ??
>>>
>>> - Steve
>>
>
> --
> buildsys mailing list
> buildsys at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>

-- 
Steve Webb | System Administrator
Beatport | Play With Music
------------------------------------------
2399 Blake Street, Suite 170
Denver, Colorado USA 80205
tel: +1.720.932.9103
fax: +1.720.932.9104
noc: +1.303.565.2710
mobile: +1.303.564.4269

More information about the buildsys mailing list