Re: upcoming build and release developer flag day December 12 2016

Mon, 21 Nov 2016 05:08:35 -0800 


Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>> koji authentication will be switching to Kerberos. Koji supports multiple 
>>> authentication mechanisms. Fedora infrastructure has set up a freeipa 
>>> instance 
>>> internally that has credential syncing to fas. We are working on ensuring 
>>> that 
>>> gssapi caching is supported so that you can have multiple TGT's and the 
>>> ability to work in multiple reams at once. you can get started today by 
>>> doing 
>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file 
>>> out of the way authentication will still work.
>>
>>   Can you expand (with links to webpages/wiki?) on multiple TGTs support?
>> At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG 
>> realm,
>> but I lose my primary principal ticket. This means I lose access to my 
>> services,
>> including access to web proxy being my internet gateway.
>>   What's the trick to have _both_ tickets active – for my organisation and 
>> for
>> Fedora – at the same time?  This is using default Ticket cache: 
>> KEYRING:persistent:…
>>
> You don't lose them (you can see both with `klist -A`). What happens is that 
> the
> default ticket is the most recent one you got a TGT for. You can switch the
> default ticket back to your other one with `kswitch -p username@REALM`.
>
> We should probably look at an /etc/krb5.conf.d snippet to have the
> `fedora-packager` RPM provide that will add a section like:
>
> ```
> [domain_realm]
>   fedoraproject.org = FEDORAPROJECT.ORG
>   .fedoraproject.org = FEDORAPROJECT.ORG
>   fedorainfracloud.org = FEDORAPROJECT.ORG
>   .fedorainfracloud.org = FEDORAPROJECT.ORG
> ```
>
> This way, no matter which ticket is set to the default, it will route requests
> for services in those domains to the FEDORAPROJECT.ORG realm.
>

You mean something like this?

```
# rpm -qf /etc/krb5.conf.d/fedoraproject_org
fedora-packager-0.5.10.7-4.fc26.noarch

# cat /etc/krb5.conf.d/fedoraproject_org
[realms]
 FEDORAPROJECT.ORG = {
        kdc = https://id.fedoraproject.org/KdcProxy
 }
[domain_realm]
 .fedoraproject.org = FEDORAPROJECT.ORG
 fedoraproject.org = FEDORAPROJECT.ORG
```


Vít

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to