On ma, 21 marras 2016, Vít Ondruch wrote:
Dne 21.11.2016 v 14:18 Vít Ondruch napsal(a):
Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):
Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
koji authentication will be switching to Kerberos. Koji supports multiple
authentication mechanisms. Fedora infrastructure has set up a freeipa instance
internally that has credential syncing to fas. We are working on ensuring that
gssapi caching is supported so that you can have multiple TGT's and the
ability to work in multiple reams at once. you can get started today by doing
kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file
out of the way authentication will still work.
Can you expand (with links to webpages/wiki?) on multiple TGTs support?
At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG
realm,
but I lose my primary principal ticket. This means I lose access to my services,
including access to web proxy being my internet gateway.
What's the trick to have _both_ tickets active – for my organisation and for
Fedora – at the same time? This is using default Ticket cache:
KEYRING:persistent:…
You don't lose them (you can see both with `klist -A`). What happens is that the
default ticket is the most recent one you got a TGT for. You can switch the
default ticket back to your other one with `kswitch -p username@REALM`.
We should probably look at an /etc/krb5.conf.d snippet to have the
`fedora-packager` RPM provide that will add a section like:
```
[domain_realm]
fedoraproject.org = FEDORAPROJECT.ORG
.fedoraproject.org = FEDORAPROJECT.ORG
fedorainfracloud.org = FEDORAPROJECT.ORG
.fedorainfracloud.org = FEDORAPROJECT.ORG
```
This way, no matter which ticket is set to the default, it will route requests
for services in those domains to the FEDORAPROJECT.ORG realm.
You mean something like this?
```
# rpm -qf /etc/krb5.conf.d/fedoraproject_org
fedora-packager-0.5.10.7-4.fc26.noarch
# cat /etc/krb5.conf.d/fedoraproject_org
[realms]
FEDORAPROJECT.ORG = {
kdc = https://id.fedoraproject.org/KdcProxy
Checking this ^^ against documentation, I wonder how this can be correct:
```
kdc - The name or address of a host running a KDC for that realm.
An optional port number, separated from the hostname by a colon, may be
included. If the name or address contains colons (for example, if it is
an IPv6 address), enclose it in square brackets to distinguish the colon
from a port separator. For your computer to be able to communicate with
the KDC for each realm, this tag must be given a value in each realm
subsection in the configuration file, or there must be DNS SRV records
specifying the KDCs.
```
The documentation is outdated. MS-KKDCP support allows you to specify an
URI that points to the proxy.
Vít
}
[domain_realm]
.fedoraproject.org = FEDORAPROJECT.ORG
fedoraproject.org = FEDORAPROJECT.ORG
```
But apparently, with this snippet, I can't kinit anymore :/
```
$ kinit vondr...@fedoraproject.org
kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while
getting initial credentials
works for me on Fedora 25. You can provide output from
'KRB5_TRACE=/dev/stderr kinit vondr...@fedoraproject.org' to get
further.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
