Re: koji using krb - having problems

[Mike Bonnet]

On 01/05/2011 02:03 PM, steve.w...@beatport.com wrote:
>> Sorry, that should have been kinit, not klist.  You'll probably need to
>> run it as root.  Also, make sure /etc/krb5.keytab is readable by the
>> apache user.
> 
> [r...@bpbuild001 ~]# kinit -kt /etc/krb5.keytab 
> host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
> kinit: Password incorrect while getting initial credentials

This means that keytab is not valid.  You should delete it and generate
a new one for the same principal.

> [r...@bpbuild001 ~]# chmod 644 /etc/krb5.keytab
> [r...@bpbuild001 ~]# ls -la /etc/krb5.keytab
> -rw-r--r--. 1 root root 430 Dec 15 10:49 /etc/krb5.keytab
> 
> Ok, now my serverPrincipal() is:
> 
>      def _serverPrincipal(self):
>          """Get the Kerberos principal of the server we're connecting
>          to, based on baseurl.  Assume the last two components of the
>          server name are the Kerberos realm."""
>          servername = urlparse.urlparse(self.baseurl)[1]
>          portspec = servername.find(':')
>          if portspec != -1:
>              servername = servername[:portspec]
> 
>          parts = servername.split('.')
>          if len(parts) < 3:
>              domain = servername.upper()
>          else:
>              domain = '.'.join(parts[-3:]).upper()
> 
>          domain = 'AUTH.BEATPORTCORP.NET'
> 
>          return 'host/%...@%s' % (servername, domain)
> 
> 
> New error:
> 
> [r...@bpbuild001 ~]# su - koji
> [k...@bpbuild001 ~]$ koji add-user kojira
> ServerOffline: database outage

This is unrelated to Kerberos auth.  Check that your database is
functioning properly, and that the apache user can connect to it.

Lets take this off the mailing list.  If you have further issues, please
email me directly.

> [k...@bpbuild001 ~]$ ps auxw | grep post
> postgres  1520  0.0  0.0 203000  5784 ?        S    10:13   0:00 
> /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
> postgres  1522  0.0  0.0 174412  1144 ?        Ss   10:13   0:00 postgres: 
> logger process 
> postgres  1524  0.0  0.0 203000  1452 ?        Ss   10:13   0:00 postgres: 
> writer process 
> postgres  1525  0.0  0.0 203000  1448 ?        Ss   10:13   0:00 postgres: 
> wal writer process 
> postgres  1526  0.0  0.0 203268  1844 ?        Ss   10:13   0:00 postgres: 
> autovacuum launcher process 
> postgres  1527  0.0  0.0 174544  1556 ?        Ss   10:13   0:00 postgres: 
> stats collector process 
> koji      1910  0.0  0.0 103416   888 pts/0    S+   12:02   0:00 grep 
> --color=auto post
> [k...@bpbuild001 ~]$
> 
> - Steve
> 
>>
>> Also, I don't think your patch to __init__.py:_serverPrincipal() is
>> correct.  Try hard-coding the domain to AUTH.BEATPORTCORP.NET.
>>
>>> Extra arguments (starting with 
>>> "host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net").
>>> Usage: klist [-e] [-V] [[-c] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] [name]
>>>          -c specifies credentials cache
>>>          -k specifies keytab
>>>             (Default is credentials cache)
>>>          -e shows the encryption type
>>>          -V shows the Kerberos version and exits
>>>          options for credential caches:
>>>                  -d shows the submitted authorization data types
>>>                  -f shows credentials flags
>>>                  -s sets exit status based on valid tgt existence
>>>                  -a displays the address list
>>>                          -n do not reverse-resolve
>>>          options for keytabs:
>>>                  -t shows keytab entry timestamps
>>>                  -K shows keytab entry DES keys
>>> [k...@bpbuild001 ~]$ klist -kt /etc/krb5.keytab
>>> Keytab name: WRFILE:/etc/krb5.keytab
>>> klist: Permission denied while starting keytab scan
>>> [k...@bpbuild001 ~]$ logout
>>> [r...@bpbuild001 ~]# klist -kt /etc/krb5.keytab
>>> Keytab name: WRFILE:/etc/krb5.keytab
>>> KVNO Timestamp         Principal
>>> ---- ----------------- 
>>> --------------------------------------------------------
>>>     1 12/15/10 10:49:18 
>>> host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>     1 12/15/10 10:49:19 
>>> host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>     1 12/15/10 10:49:19 
>>> host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>     1 12/15/10 10:49:19 
>>> host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>> [r...@bpbuild001 ~]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: sw...@auth.beatportcorp.net
>>>
>>> Valid starting     Expires            Service principal
>>> 01/05/11 09:49:04  01/05/11 21:48:17  
>>> krbtgt/auth.beatportcorp....@auth.beatportcorp.net
>>>
>>> - Steve
>>>
>>> On Mon, 3 Jan 2011, Mike Bonnet wrote:
>>>
>>>> On 12/29/2010 11:06 AM, steve.w...@beatport.com wrote:
>>>>> Still stuck here.  Anyone around during the holidays that can help?
>>>>
>>>> Could you post the /etc/koji.conf from the client machine (the machine
>>>> where you're running "koji add-user kojira")?
>>>>
>>>> Also, try running:
>>>>
>>>> klist -kt /etc/krb5.keytab \
>>>>  host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>
>>>> and then klist, and post the output of both commands.
>>>>
>>>>> - Steve
>>>>>
>>>>> On Fri, 17 Dec 2010, steve.w...@beatport.com wrote:
>>>>>
>>>>>> Ok, all changed, still no-go:
>>>>>>
>>>>>> [r...@bpbuild001 ~]# tail /etc/koji-hub/hub.conf
>>>>>> ## If ServerOffline is True, the server will always report a 
>>>>>> ServerOffline fault (with
>>>>>> ## OfflineMessage as the fault string).
>>>>>> ## If LockOut is True, the server will report a ServerOffline fault for 
>>>>>> all non-admin
>>>>>> ## requests.
>>>>>>
>>>>>> AuthPrincipal = 
>>>>>> host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>> AuthKeytab = /etc/krb5.keytab
>>>>>> ProxyPrincipals = 
>>>>>> koji/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>> HostPrincipalFormat = compile/%...@auth.beatportcorp.net
>>>>>>
>>>>>> [r...@bpbuild001 ~]# klist -k /etc/krb5.keytab
>>>>>> Keytab name: WRFILE:/etc/krb5.keytab
>>>>>> KVNO Principal
>>>>>> ---- 
>>>>>> --------------------------------------------------------------------------
>>>>>>    1 host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>>    1 host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>>    1 host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>>    1 host/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>> [r...@bpbuild001 ~]# klist
>>>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>>>> Default principal: sw...@auth.beatportcorp.net
>>>>>>
>>>>>> Valid starting     Expires            Service principal
>>>>>> 12/17/10 15:36:29  12/18/10 03:30:18  
>>>>>> krbtgt/auth.beatportcorp....@auth.beatportcorp.net
>>>>>> [r...@bpbuild001 ~]# su - koji
>>>>>> [k...@bpbuild001 ~]$ psql
>>>>>> psql (8.4.5)
>>>>>> Type "help" for help.
>>>>>>
>>>>>> koji=> select * from users;
>>>>>>  id | name  | password | status | usertype |                         
>>>>>> krb_principal
>>>>>> ----+-------+----------+--------+----------+----------------------------------------------------------------
>>>>>>   2 | swebb |          |      0 |        0 | sw...@auth.beatportcorp.net
>>>>>>   1 | koji  |          |      0 |        0 | 
>>>>>> koji/bpbuild001.co0.nar.beatportcorp....@auth.beatportcorp.net
>>>>>> (2 rows)
>>>>>>
>>>>>> koji=> \q
>>>>>> [k...@bpbuild001 ~]$ logout
>>>>>> [r...@bpbuild001 ~]# koji add-user kojira
>>>>>> Kerberos authentication failed: Server not found in Kerberos database 
>>>>>> (-1765328377)
>>>>>>
>>>>>> Q: The error now says "Server not found" - should the principal in psql 
>>>>>> be
>>>>>> host/...  ??
>>>>>>
>>>>>> - Steve
>>>>>
>>>>
>>>> --
>>>> buildsys mailing list
>>>> buildsys@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>>>
>>>
>>
>> --
>> buildsys mailing list
>> buildsys@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/buildsys
>>
> 

--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys