> Sorry, that should have been kinit, not klist. You'll probably need to > run it as root. Also, make sure /etc/krb5.keytab is readable by the > apache user.
[r...@bpbuild001 ~]# kinit -kt /etc/krb5.keytab host/[email protected] kinit: Password incorrect while getting initial credentials [r...@bpbuild001 ~]# chmod 644 /etc/krb5.keytab [r...@bpbuild001 ~]# ls -la /etc/krb5.keytab -rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab Ok, now my serverPrincipal() is: def _serverPrincipal(self): """Get the Kerberos principal of the server we're connecting to, based on baseurl. Assume the last two components of the server name are the Kerberos realm.""" servername = urlparse.urlparse(self.baseurl)[1] portspec = servername.find(':') if portspec != -1: servername = servername[:portspec] parts = servername.split('.') if len(parts) < 3: domain = servername.upper() else: domain = '.'.join(parts[-3:]).upper() domain = 'AUTH.BEATPORTCORP.NET' return 'host/%...@%s' % (servername, domain) New error: [r...@bpbuild001 ~]# su - koji [k...@bpbuild001 ~]$ koji add-user kojira ServerOffline: database outage [k...@bpbuild001 ~]$ ps auxw | grep post postgres 1520 0.0 0.0 203000 5784 ? S 10:13 0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data postgres 1522 0.0 0.0 174412 1144 ? Ss 10:13 0:00 postgres: logger process postgres 1524 0.0 0.0 203000 1452 ? Ss 10:13 0:00 postgres: writer process postgres 1525 0.0 0.0 203000 1448 ? Ss 10:13 0:00 postgres: wal writer process postgres 1526 0.0 0.0 203268 1844 ? Ss 10:13 0:00 postgres: autovacuum launcher process postgres 1527 0.0 0.0 174544 1556 ? Ss 10:13 0:00 postgres: stats collector process koji 1910 0.0 0.0 103416 888 pts/0 S+ 12:02 0:00 grep --color=auto post [k...@bpbuild001 ~]$ - Steve > > Also, I don't think your patch to __init__.py:_serverPrincipal() is > correct. Try hard-coding the domain to AUTH.BEATPORTCORP.NET. > >> Extra arguments (starting with >> "host/[email protected]"). >> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name] >> -c specifies credentials cache >> -k specifies keytab >> (Default is credentials cache) >> -e shows the encryption type >> -V shows the Kerberos version and exits >> options for credential caches: >> -d shows the submitted authorization data types >> -f shows credentials flags >> -s sets exit status based on valid tgt existence >> -a displays the address list >> -n do not reverse-resolve >> options for keytabs: >> -t shows keytab entry timestamps >> -K shows keytab entry DES keys >> [k...@bpbuild001 ~]$ klist -kt /etc/krb5.keytab >> Keytab name: WRFILE:/etc/krb5.keytab >> klist: Permission denied while starting keytab scan >> [k...@bpbuild001 ~]$ logout >> [r...@bpbuild001 ~]# klist -kt /etc/krb5.keytab >> Keytab name: WRFILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 1 12/15/10 10:49:18 >> host/[email protected] >> 1 12/15/10 10:49:19 >> host/[email protected] >> 1 12/15/10 10:49:19 >> host/[email protected] >> 1 12/15/10 10:49:19 >> host/[email protected] >> [r...@bpbuild001 ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 01/05/11 09:49:04 01/05/11 21:48:17 >> krbtgt/[email protected] >> >> - Steve >> >> On Mon, 3 Jan 2011, Mike Bonnet wrote: >> >>> On 12/29/2010 11:06 AM, [email protected] wrote: >>>> Still stuck here. Anyone around during the holidays that can help? >>> >>> Could you post the /etc/koji.conf from the client machine (the machine >>> where you're running "koji add-user kojira")? >>> >>> Also, try running: >>> >>> klist -kt /etc/krb5.keytab \ >>> host/[email protected] >>> >>> and then klist, and post the output of both commands. >>> >>>> - Steve >>>> >>>> On Fri, 17 Dec 2010, [email protected] wrote: >>>> >>>>> Ok, all changed, still no-go: >>>>> >>>>> [r...@bpbuild001 ~]# tail /etc/koji-hub/hub.conf >>>>> ## If ServerOffline is True, the server will always report a >>>>> ServerOffline fault (with >>>>> ## OfflineMessage as the fault string). >>>>> ## If LockOut is True, the server will report a ServerOffline fault for >>>>> all non-admin >>>>> ## requests. >>>>> >>>>> AuthPrincipal = >>>>> host/[email protected] >>>>> AuthKeytab = /etc/krb5.keytab >>>>> ProxyPrincipals = >>>>> koji/[email protected] >>>>> HostPrincipalFormat = compile/%[email protected] >>>>> >>>>> [r...@bpbuild001 ~]# klist -k /etc/krb5.keytab >>>>> Keytab name: WRFILE:/etc/krb5.keytab >>>>> KVNO Principal >>>>> ---- >>>>> -------------------------------------------------------------------------- >>>>> 1 host/[email protected] >>>>> 1 host/[email protected] >>>>> 1 host/[email protected] >>>>> 1 host/[email protected] >>>>> [r...@bpbuild001 ~]# klist >>>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>>> Default principal: [email protected] >>>>> >>>>> Valid starting Expires Service principal >>>>> 12/17/10 15:36:29 12/18/10 03:30:18 >>>>> krbtgt/[email protected] >>>>> [r...@bpbuild001 ~]# su - koji >>>>> [k...@bpbuild001 ~]$ psql >>>>> psql (8.4.5) >>>>> Type "help" for help. >>>>> >>>>> koji=> select * from users; >>>>> id | name | password | status | usertype | >>>>> krb_principal >>>>> ----+-------+----------+--------+----------+---------------------------------------------------------------- >>>>> 2 | swebb | | 0 | 0 | [email protected] >>>>> 1 | koji | | 0 | 0 | >>>>> koji/[email protected] >>>>> (2 rows) >>>>> >>>>> koji=> \q >>>>> [k...@bpbuild001 ~]$ logout >>>>> [r...@bpbuild001 ~]# koji add-user kojira >>>>> Kerberos authentication failed: Server not found in Kerberos database >>>>> (-1765328377) >>>>> >>>>> Q: The error now says "Server not found" - should the principal in psql be >>>>> host/... ?? >>>>> >>>>> - Steve >>>> >>> >>> -- >>> buildsys mailing list >>> [email protected] >>> https://admin.fedoraproject.org/mailman/listinfo/buildsys >>> >> > > -- > buildsys mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/buildsys > -- Steve Webb | System Administrator Beatport | Play With Music ------------------------------------------ 2399 Blake Street, Suite 170 Denver, Colorado USA 80205 tel: +1.720.932.9103 fax: +1.720.932.9104 noc: +1.303.565.2710 mobile: +1.303.564.4269 -- buildsys mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/buildsys
