There are 2 principals we're talking about here, the server principal (host/...) and your client principal sw...@...
When using "koji --authtype=kerberos" it will automatically use your client principal, assuming you have kinit'ed successfully. You should never be passing --principal or --keytab to the koji cli under normal usage. On 12/17/2010 04:51 PM, [email protected] wrote: > Ok, I'm still not getting access to krb, but I feel that I'm getting > close. (Thanks for all of your help already, BTW) > > [r...@bpbuild001 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 12/17/10 14:27:51 12/18/10 02:27:09 > krbtgt/[email protected] > > [r...@bpbuild001 ~]# su - koji > [k...@bpbuild001 ~]$ psql > psql (8.4.5) > Type "help" for help. > > koji=> select * from user_perms; > user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | > active > ---------+---------+--------------+--------------+------------+------------+-------- > 1 | 1 | 1 | | 1 | | > t > 2 | 1 | 2 | | 2 | | > t > (2 rows) > > koji=> select * from users; > id | name | password | status | usertype | krb_principal > ----+-------+----------+--------+----------+------------------------------------------ > 1 | koji | | 0 | 0 | > [email protected] That is not a valid krb_principal, it should be: koji/[email protected] > 2 | swebb | | 0 | 0 | [email protected] > (2 rows) > > koji=> > [k...@bpbuild001 ~]$ logout > [r...@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos > add-user kojira > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377) > [r...@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab > --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos > add-user kojira > Kerberos authentication failed: Decrypt integrity check failed (-1765328353) > [r...@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab > --principal=host/[email protected] > --authtype=kerberos add-user kojira > Kerberos authentication failed: Decrypt integrity check failed (-1765328353) > [r...@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab > --principal=host/[email protected] > --authtype=kerberos add-user kojira > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377) > [r...@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab > --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos > add-user kojira > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377) > [r...@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos > add-user kojira > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377) > [r...@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos > add-user kojira > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377) > [r...@bpbuild001 ~]# koji --keytab=/etc/koji.keytab > --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos > add-user kojira > Kerberos authentication failed: Key table entry not found (-1765328203) > [r...@bpbuild001 ~]# koji --keytab=/etc/koji.keytab > --principal=host/[email protected] > --authtype=kerberos add-user kojira > Kerberos authentication failed: Key table entry not found (-1765328203) > > My keytabs that I've been trying: > > /etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net > /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net > /etc/koji2.keytab: > host/[email protected] This is the keytab that you should be referencing in AuthKeytab in /etc/koji-hub/hub.conf. > I've tried many combinations but none of them seem to be working. The > most common errors are (in order of # of occurrences): > > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377) > Kerberos authentication failed: Decrypt integrity check failed (-1765328353) > Kerberos authentication failed: Key table entry not found (-1765328203) > > I'm very good with kerberos, but I'm hoping that this may help us get > close to getting kerberos working. > > Is there a way to turn on logging for the kerberos authentication stuff > somewhere? Using --debug doesn't seem to provide any additional > information. > > My /etc/koji-hub/hub.conf now: > > [snip] > AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net You need to append @AUTH.BEATPORTCORP.NET to this. > AuthKeytab = /etc/krb5.keytab > ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net Same here. > HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net Same here. Also, you need to leave the %s, it'll be substituted for the hostname of each different builder. > [snip] > > Thanks again. > > - Steve > > On Fri, 17 Dec 2010, Mike Bonnet wrote: > >> On 12/17/2010 12:35 PM, [email protected] wrote: >>>> The koji cli expects the service principal of the hub to be host/<server >>>> name>@<last 2 tokens of the server name>. So in your case it is trying >>>> to lookup a service principal in the BEATPORTCORP.NET domain, rather >>>> than AUTH.BEATPORTCORP.NET. Koji should probably be determining the >>>> domain from the client principal, rather than the DNS name. In the >>>> meantime, you could patch __init__.py:_serverPrincipal() to return the >>>> correct value. >>> >>> I just changed it to accept 3 parts to the server name by changing the 2s >>> to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py >>> >>> def _serverPrincipal(self): >>> """Get the Kerberos principal of the server we're connecting >>> to, based on baseurl. Assume the last two components of the >>> server name are the Kerberos realm.""" >>> servername = urlparse.urlparse(self.baseurl)[1] >>> portspec = servername.find(':') >>> if portspec != -1: >>> servername = servername[:portspec] >>> >>> parts = servername.split('.') >>> if len(parts) < 3: >>> domain = servername.upper() >>> else: >>> domain = '.'.join(parts[-3:]).upper() >>> >>> return 'host/%...@%s' % (servername, domain) >>> >>> >>> Still getting authentication failure: >>> >>> [r...@bpbuild001 ~]# klist >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: [email protected] >>> >>> Valid starting Expires Service principal >>> 12/17/10 09:39:56 12/17/10 21:37:58 >>> krbtgt/[email protected] >>> >>> [r...@bpbuild001 ~]# koji add-user kojira >>> Kerberos authentication failed: Server not found in Kerberos database >>> (-1765328377) >> >> Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your >> /etc/koji-hub/hub.conf should have: >> >> AuthPrincipal = >> host/[email protected] >> >> and AuthKeytab should be pointing at a keytab for that principal. >> >> Yes, this could be a lot more flexible. >> -- >> buildsys mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/buildsys >> > -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
