Ok, I'm still not getting access to krb, but I feel that I'm getting close. (Thanks for all of your help already, BTW)
[r...@bpbuild001 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 12/17/10 14:27:51 12/18/10 02:27:09 krbtgt/[email protected] [r...@bpbuild001 ~]# su - koji [k...@bpbuild001 ~]$ psql psql (8.4.5) Type "help" for help. koji=> select * from user_perms; user_id | perm_id | create_event | revoke_event | creator_id | revoker_id | active ---------+---------+--------------+--------------+------------+------------+-------- 1 | 1 | 1 | | 1 | | t 2 | 1 | 2 | | 2 | | t (2 rows) koji=> select * from users; id | name | password | status | usertype | krb_principal ----+-------+----------+--------+----------+------------------------------------------ 1 | koji | | 0 | 0 | [email protected] 2 | swebb | | 0 | 0 | [email protected] (2 rows) koji=> [k...@bpbuild001 ~]$ logout [r...@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [r...@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Decrypt integrity check failed (-1765328353) [r...@bpbuild001 ~]# koji --keytab=/etc/krb5.keytab --principal=host/[email protected] --authtype=kerberos add-user kojira Kerberos authentication failed: Decrypt integrity check failed (-1765328353) [r...@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/[email protected] --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [r...@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [r...@bpbuild001 ~]# koji --keytab=/etc/koji2.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [r...@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --authtype=kerberos add-user kojira Kerberos authentication failed: Server not found in Kerberos database (-1765328377) [r...@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/bpbuild001.co0.nar.beatportcorp.net --authtype=kerberos add-user kojira Kerberos authentication failed: Key table entry not found (-1765328203) [r...@bpbuild001 ~]# koji --keytab=/etc/koji.keytab --principal=host/[email protected] --authtype=kerberos add-user kojira Kerberos authentication failed: Key table entry not found (-1765328203) My keytabs that I've been trying: /etc/krb5.keytab: host/bpbuild001.co0.nar.beatportcorp.net /etc/koji.keytab: koji/bpbuild001.co0.nar.beatportcorp.net /etc/koji2.keytab: host/[email protected] I've tried many combinations but none of them seem to be working. The most common errors are (in order of # of occurrences): Kerberos authentication failed: Server not found in Kerberos database (-1765328377) Kerberos authentication failed: Decrypt integrity check failed (-1765328353) Kerberos authentication failed: Key table entry not found (-1765328203) I'm very good with kerberos, but I'm hoping that this may help us get close to getting kerberos working. Is there a way to turn on logging for the kerberos authentication stuff somewhere? Using --debug doesn't seem to provide any additional information. My /etc/koji-hub/hub.conf now: [snip] AuthPrincipal = host/bpbuild001.co0.nar.beatportcorp.net AuthKeytab = /etc/krb5.keytab ProxyPrincipals = koji/bpbuild001.co0.nar.beatportcorp.net HostPrincipalFormat = compile/bpbuild001.co0.nar.beatportcorp.net [snip] Thanks again. - Steve On Fri, 17 Dec 2010, Mike Bonnet wrote: > On 12/17/2010 12:35 PM, [email protected] wrote: >>> The koji cli expects the service principal of the hub to be host/<server >>> name>@<last 2 tokens of the server name>. So in your case it is trying >>> to lookup a service principal in the BEATPORTCORP.NET domain, rather >>> than AUTH.BEATPORTCORP.NET. Koji should probably be determining the >>> domain from the client principal, rather than the DNS name. In the >>> meantime, you could patch __init__.py:_serverPrincipal() to return the >>> correct value. >> >> I just changed it to accept 3 parts to the server name by changing the 2s >> to 3s in /usr/lib/python2.7/site-packages/koji/__init__.py >> >> def _serverPrincipal(self): >> """Get the Kerberos principal of the server we're connecting >> to, based on baseurl. Assume the last two components of the >> server name are the Kerberos realm.""" >> servername = urlparse.urlparse(self.baseurl)[1] >> portspec = servername.find(':') >> if portspec != -1: >> servername = servername[:portspec] >> >> parts = servername.split('.') >> if len(parts) < 3: >> domain = servername.upper() >> else: >> domain = '.'.join(parts[-3:]).upper() >> >> return 'host/%...@%s' % (servername, domain) >> >> >> Still getting authentication failure: >> >> [r...@bpbuild001 ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 12/17/10 09:39:56 12/17/10 21:37:58 >> krbtgt/[email protected] >> >> [r...@bpbuild001 ~]# koji add-user kojira >> Kerberos authentication failed: Server not found in Kerberos database >> (-1765328377) > > Assuming your hub is running on bpbuild001.co0.nar.beatportcorp.net, your > /etc/koji-hub/hub.conf should have: > > AuthPrincipal = host/[email protected] > > and AuthKeytab should be pointing at a keytab for that principal. > > Yes, this could be a lot more flexible. > -- > buildsys mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/buildsys > -- Steve Webb | System Administrator Beatport | Music for DJ's ------------------------------------------ 2399 Blake Street, Suite 170 Denver, Colorado USA 80205 tel: +1.720.932.9103 fax: +1.720.932.9104 noc: +1.303.565.2710 mobile: +1.303.564.4269 -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
