Re: Kerberos authentication fails: unable to obtain a session
Ken Dreyer writes: > On Tue, Mar 10, 2020 at 11:55 AM Kevin Fenzi wrote: >> >> when you see a proxy name there it usually means you have rdns true in >> /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true >> in /etc/koji.conf or ~/.koji.conf (should be false). > > I think those options only apply to the "old-style" Kerberos > authentication in Koji (that we want to remove upstream). > > The only way to affect the GSSAPI authentication that we do with > koji.fedoraproject.org is to edit [libdefaults] in /etc/krb5.conf. > > I've filed two tickets to improve the UX here: > > 1) Remove the old option from fedora.conf: > https://bugzilla.redhat.com/show_bug.cgi?id=1812702 > > 2) Better error messages from the koji gssapi_login method: > https://pagure.io/koji/issue/2063 > > I think the MIT Kerberos devs realize that this is a problem too, > because there is a new dns_canonicalize_hostname=fallback option in > krb 1.18. That option will help for the general case of proxying > applications that use GSSAPI auth. Right. To be clear, this has been the *default* in Fedora starting with fc30. Thanks, --Robbie signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Kerberos authentication fails: unable to obtain a session
On Tue, Mar 10, 2020 at 11:55 AM Kevin Fenzi wrote: > > when you see a proxy name there it usually means you have rdns true in > /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true > in /etc/koji.conf or ~/.koji.conf (should be false). I think those options only apply to the "old-style" Kerberos authentication in Koji (that we want to remove upstream). The only way to affect the GSSAPI authentication that we do with koji.fedoraproject.org is to edit [libdefaults] in /etc/krb5.conf. I've filed two tickets to improve the UX here: 1) Remove the old option from fedora.conf: https://bugzilla.redhat.com/show_bug.cgi?id=1812702 2) Better error messages from the koji gssapi_login method: https://pagure.io/koji/issue/2063 I think the MIT Kerberos devs realize that this is a problem too, because there is a new dns_canonicalize_hostname=fallback option in krb 1.18. That option will help for the general case of proxying applications that use GSSAPI auth. - Ken ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Kerberos authentication fails: unable to obtain a session
On 3/10/20 1:55 PM, Kevin Fenzi wrote: > On Tue, Mar 10, 2020 at 10:42:09AM -0400, Steve Dickson wrote: >> Hello, >> >> I'm trying to do a scratch build >> $ fedpkg scratch-build --arches x86_64 --srpm >> >> and I'm getting the $SUBJECT error. I know I have >> a Kerberos ticket: >> >> $ klist >> Ticket cache: KEYRING:persistent:24013:krb_ccache_zynJSfJ >> Default principal: ste...@fedoraproject.org >> >> Valid starting Expires Service principal >> 03/10/2020 10:35:13 03/10/2020 20:34:33 >> HTTP/proxy01.fedoraproject@fedoraproject.org > > This should normally be 'HTTP/koji.fedoraproject@fedoraproject.org' > > when you see a proxy name there it usually means you have rdns true in > /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true > in /etc/koji.conf or ~/.koji.conf (should be false). That worked... Thank you very much!!! steved. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Kerberos authentication fails: unable to obtain a session
On Tue, Mar 10, 2020 at 10:42:09AM -0400, Steve Dickson wrote: > Hello, > > I'm trying to do a scratch build > $ fedpkg scratch-build --arches x86_64 --srpm > > and I'm getting the $SUBJECT error. I know I have > a Kerberos ticket: > > $ klist > Ticket cache: KEYRING:persistent:24013:krb_ccache_zynJSfJ > Default principal: ste...@fedoraproject.org > > Valid starting Expires Service principal > 03/10/2020 10:35:13 03/10/2020 20:34:33 > HTTP/proxy01.fedoraproject@fedoraproject.org This should normally be 'HTTP/koji.fedoraproject@fedoraproject.org' when you see a proxy name there it usually means you have rdns true in /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true in /etc/koji.conf or ~/.koji.conf (should be false). kevin signature.asc Description: PGP signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Re: Kerberos authentication fails: unable to obtain a session
On 3/10/20 10:42 AM, Steve Dickson wrote: > Hello, > > I'm trying to do a scratch build > $ fedpkg scratch-build --arches x86_64 --srpm > > and I'm getting the $SUBJECT error. I know I have > a Kerberos ticket: > > $ klist > Ticket cache: KEYRING:persistent:24013:krb_ccache_zynJSfJ > Default principal: ste...@fedoraproject.org > > Valid starting Expires Service principal > 03/10/2020 10:35:13 03/10/2020 20:34:33 > HTTP/proxy01.fedoraproject@fedoraproject.org > renew until 03/17/2020 10:34:33 > 03/10/2020 10:34:41 03/10/2020 20:34:33 > krbtgt/fedoraproject@fedoraproject.org > renew until 03/17/2020 10:34:33 > > > Any ideas? It turns out I can get a ticket from another machine.. Sorry for the noise. steved. > > tia, > > steved. > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org