On 11/21/2016 08:07 AM, Vít Ondruch wrote: > > > Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a): >> On 11/21/2016 04:24 AM, Tomasz Torcz wrote: >>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote: >>>> koji authentication will be switching to Kerberos. Koji supports multiple >>>> authentication mechanisms. Fedora infrastructure has set up a freeipa >>>> instance >>>> internally that has credential syncing to fas. We are working on ensuring >>>> that >>>> gssapi caching is supported so that you can have multiple TGT's and the >>>> ability to work in multiple reams at once. you can get started today by >>>> doing >>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert >>>> file >>>> out of the way authentication will still work. >>> >>> Can you expand (with links to webpages/wiki?) on multiple TGTs support? >>> At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG >>> realm, >>> but I lose my primary principal ticket. This means I lose access to my >>> services, >>> including access to web proxy being my internet gateway. >>> What's the trick to have _both_ tickets active – for my organisation and >>> for >>> Fedora – at the same time? This is using default Ticket cache: >>> KEYRING:persistent:… >>> >> You don't lose them (you can see both with `klist -A`). What happens is that >> the >> default ticket is the most recent one you got a TGT for. You can switch the >> default ticket back to your other one with `kswitch -p username@REALM`. >> >> We should probably look at an /etc/krb5.conf.d snippet to have the >> `fedora-packager` RPM provide that will add a section like: >> >> ``` >> [domain_realm] >> fedoraproject.org = FEDORAPROJECT.ORG >> .fedoraproject.org = FEDORAPROJECT.ORG >> fedorainfracloud.org = FEDORAPROJECT.ORG >> .fedorainfracloud.org = FEDORAPROJECT.ORG >> ``` >> >> This way, no matter which ticket is set to the default, it will route >> requests >> for services in those domains to the FEDORAPROJECT.ORG realm. >> >
So, it turns out that this doesn't work yet. It's complicated, but there's a
patch pending for Koji that will make this work. It hasn't landed yet. Hopefully
that will change before the flag day.
> You mean something like this?
>
> ```
> # rpm -qf /etc/krb5.conf.d/fedoraproject_org
> fedora-packager-0.5.10.7-4.fc26.noarch
>
> # cat /etc/krb5.conf.d/fedoraproject_org
> [realms]
> FEDORAPROJECT.ORG = {
> kdc = https://id.fedoraproject.org/KdcProxy
> }
> [domain_realm]
> .fedoraproject.org = FEDORAPROJECT.ORG
> fedoraproject.org = FEDORAPROJECT.ORG
> ```
>
You actually shouldn't need to specify the [realms] section at all, because of
some nice DNS magic. Getting the [domain_realm] section working needs koji to
accept the patch Patrick Uiterwijk mentioned elsewhere in this thread.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
