On 01/05/2011 12:19 PM, [email protected] wrote: > [k...@bpbuild001 ~]$ psql > psql (8.4.5) > Type "help" for help. > > koji=> select * from users; > id | name | password | status | usertype | > krb_principal > ----+-------+----------+--------+----------+---------------------------------------------------------------- > 2 | swebb | | 0 | 0 | [email protected] > 1 | koji | | 0 | 0 | > koji/[email protected] > (2 rows) > > koji=> \q > [k...@bpbuild001 ~]$ koji add-user kojira > Kerberos authentication failed: Matching credential not found (-1765328243) > [k...@bpbuild001 ~]$ kinit swebb > Password for [email protected]: > [k...@bpbuild001 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: [email protected] > > Valid starting Expires Service principal > 01/05/11 10:15:13 01/05/11 22:14:30 > krbtgt/[email protected] > [k...@bpbuild001 ~]$ cat /etc/koji.conf > [koji] > > ;configuration for koji cli tool > > ;url of XMLRPC server > server = http://bpbuild001.co0.nar.beatportcorp.net/kojihub > > ;url of web interface > weburl = http://bpbuild001.co0.nar.beatportcorp.net/koji > > ;url of package download site > pkgurl = http://bpbuild001.co0.nar.beatportcorp.net/packages > > ;path to the koji top directory > topdir = /mnt/koji > > ;configuration for SSL authentication > > ;client certificate > cert = ~/.fedora.cert > > ;certificate of the CA that issued the client certificate > ca = ~/.fedora-server-ca.cert > > ;certificate of the CA that issued the HTTP server certificate > serverca = ~/.fedora-server-ca.cert > [k...@bpbuild001 ~]$ klist -kt /etc/krb5.keytab > host/[email protected]
Sorry, that should have been kinit, not klist. You'll probably need to run it as root. Also, make sure /etc/krb5.keytab is readable by the apache user. Also, I don't think your patch to __init__.py:_serverPrincipal() is correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET. > Extra arguments (starting with > "host/[email protected]"). > Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] > -c specifies credentials cache > -k specifies keytab > (Default is credentials cache) > -e shows the encryption type > -V shows the Kerberos version and exits > options for credential caches: > -d shows the submitted authorization data types > -f shows credentials flags > -s sets exit status based on valid tgt existence > -a displays the address list > -n do not reverse-resolve > options for keytabs: > -t shows keytab entry timestamps > -K shows keytab entry DES keys > [k...@bpbuild001 ~]$ klist -kt /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > klist: Permission denied while starting keytab scan > [k...@bpbuild001 ~]$ logout > [r...@bpbuild001 ~]# klist -kt /etc/krb5.keytab > Keytab name: WRFILE:/etc/krb5.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 12/15/10 10:49:18 > host/[email protected] > 1 12/15/10 10:49:19 > host/[email protected] > 1 12/15/10 10:49:19 > host/[email protected] > 1 12/15/10 10:49:19 > host/[email protected] > [r...@bpbuild001 ~]# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 01/05/11 09:49:04 01/05/11 21:48:17 > krbtgt/[email protected] > > - Steve > > On Mon, 3 Jan 2011, Mike Bonnet wrote: > >> On 12/29/2010 11:06 AM, [email protected] wrote: >>> Still stuck here. Anyone around during the holidays that can help? >> >> Could you post the /etc/koji.conf from the client machine (the machine >> where you're running "koji add-user kojira")? >> >> Also, try running: >> >> klist -kt /etc/krb5.keytab \ >> host/[email protected] >> >> and then klist, and post the output of both commands. >> >>> - Steve >>> >>> On Fri, 17 Dec 2010, [email protected] wrote: >>> >>>> Ok, all changed, still no-go: >>>> >>>> [r...@bpbuild001 ~]# tail /etc/koji-hub/hub.conf >>>> ## If ServerOffline is True, the server will always report a ServerOffline >>>> fault (with >>>> ## OfflineMessage as the fault string). >>>> ## If LockOut is True, the server will report a ServerOffline fault for >>>> all non-admin >>>> ## requests. >>>> >>>> AuthPrincipal = >>>> host/[email protected] >>>> AuthKeytab = /etc/krb5.keytab >>>> ProxyPrincipals = >>>> koji/[email protected] >>>> HostPrincipalFormat = compile/%[email protected] >>>> >>>> [r...@bpbuild001 ~]# klist -k /etc/krb5.keytab >>>> Keytab name: WRFILE:/etc/krb5.keytab >>>> KVNO Principal >>>> ---- >>>> -------------------------------------------------------------------------- >>>> 1 host/[email protected] >>>> 1 host/[email protected] >>>> 1 host/[email protected] >>>> 1 host/[email protected] >>>> [r...@bpbuild001 ~]# klist >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: [email protected] >>>> >>>> Valid starting Expires Service principal >>>> 12/17/10 15:36:29 12/18/10 03:30:18 >>>> krbtgt/[email protected] >>>> [r...@bpbuild001 ~]# su - koji >>>> [k...@bpbuild001 ~]$ psql >>>> psql (8.4.5) >>>> Type "help" for help. >>>> >>>> koji=> select * from users; >>>> id | name | password | status | usertype | >>>> krb_principal >>>> ----+-------+----------+--------+----------+---------------------------------------------------------------- >>>> 2 | swebb | | 0 | 0 | [email protected] >>>> 1 | koji | | 0 | 0 | >>>> koji/[email protected] >>>> (2 rows) >>>> >>>> koji=> \q >>>> [k...@bpbuild001 ~]$ logout >>>> [r...@bpbuild001 ~]# koji add-user kojira >>>> Kerberos authentication failed: Server not found in Kerberos database >>>> (-1765328377) >>>> >>>> Q: The error now says "Server not found" - should the principal in psql be >>>> host/... ?? >>>> >>>> - Steve >>> >> >> -- >> buildsys mailing list >> [email protected] >> https://admin.fedoraproject.org/mailman/listinfo/buildsys >> > -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
