On 12/17/2010 12:35 PM, [email protected] wrote: >> The koji cli expects the service principal of the hub to be host/<server >> name>@<last 2 tokens of the server name>. So in your case it is trying >> to lookup a service principal in the BEATPORTCORP.NET domain, rather >> than AUTH.BEATPORTCORP.NET. Koji should probably be determining the >> domain from the client principal, rather than the DNS name. In the >> meantime, you could patch __init__.py:_serverPrincipal() to return the >> correct value. > > I just changed it to accept 3 parts to the server name by changing the 2s > to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py > > def _serverPrincipal(self): > """Get the Kerberos principal of the server we're connecting > to, based on baseurl. Assume the last two components of the > server name are the Kerberos realm.""" > servername = urlparse.urlparse(self.baseurl)[1] > portspec = servername.find(':') > if portspec != -1: > servername = servername[:portspec] > > parts = servername.split('.') > if len(parts) < 3: > domain = servername.upper() > else: > domain = '.'.join(parts[-3:]).upper() > > return 'host/%...@%s' % (servername, domain) > > > Still getting authentication failure: > > [r...@bpbuild001 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 12/17/10 09:39:56 12/17/10 21:37:58 > krbtgt/[email protected] > > [r...@bpbuild001 ~]# koji add-user kojira > Kerberos authentication failed: Server not found in Kerberos database > (-1765328377)
Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your /etc/koji-hub/hub.conf should have: AuthPrincipal = host/[email protected] and AuthKeytab should be pointing at a keytab for that principal. Yes, this could be a lot more flexible. -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
