Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Thu, 22 Dec 2016 14:52:45 +
Dave Love  wrote:

> Kevin Fenzi  writes:
> 
> > In this case you should simply be able to kinit on the RHEL node you
> > wish to push changes/builds from?  
> 
> That would be a good start in case epel-testing's fedora-packager was
> installable, but I can't.
> 
>   $ kinit lovesh...@fedoraproject.org
>   kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while
> getting initial credentials $ grep -i fedora /etc/krb5.conf
>FEDORAPROJECT.ORG =
> { kdc =
> https://id.fedoraproject.org/KdcProxy STG.FEDORAPROJECT.ORG = {
>   kdc = https://id.stg.fedoraproject.org/KdcProxy
>fedoraproject.org =
> FEDORAPROJECT.ORG .fedoraproject.org =
> FEDORAPROJECT.ORG .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
>stg.fedoraproject.org = STG.FEDORAPROJECT.ORG

So, this mail is from Dec 22nd... did you get everything working since
then, or is there still an issue? If there is, can you please file a
infrastructure ticket and we can get things sorted out. 

kevin



pgpamNvhc5_bM.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Kevin Fenzi  writes:

>> Some people use "Enterprise Linux" (ugh) server systems in
>> "enterprises" which have Kerberized services -- like networked home
>> filestores, where the old certificate is.  (I did copy the
>> credentials with Firefox sync.) OK, Red Hat people think we shouldn't
>> work that way, and apparently now can't, but that's why.
>
> "Red Hat people" ? 

People @redhat.com

> In this case you should simply be able to kinit on the RHEL node you
> wish to push changes/builds from?

That would be a good start in case epel-testing's fedora-packager was
installable, but I can't.

  $ kinit lovesh...@fedoraproject.org
  kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while getting 
initial credentials
  $ grep -i fedora /etc/krb5.conf
   FEDORAPROJECT.ORG = {  
 kdc = https://id.fedoraproject.org/KdcProxy  
   STG.FEDORAPROJECT.ORG = {
  kdc = https://id.stg.fedoraproject.org/KdcProxy
   fedoraproject.org = FEDORAPROJECT.ORG  
   .fedoraproject.org = FEDORAPROJECT.ORG 
   .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
   stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Kevin Fenzi  writes:

> If you are using the default kerberos cache (the linux kernel keyring),

For what it's worth, not on RHEL6, and some of the (unsatisfactory)
methods for dealing with Kerberos in batch systems currently rely on the
traditional ccache, whether or not they could copy credentials another
way.

> I think it may be possible to copy your tickets to another machine, but
> it's definitely not trivial (not like scp .fedora.cert). It might
> require root access also. I am not sure. Does anyone know how it uses
> the linux kernel keyring here?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes - KDE wallet kinit

[Igor Gnatenko]

On Mon, Jan 2, 2017 at 11:27 PM, Orion Poplawski  wrote:
> On 12/11/2016 05:34 PM, Dennis Gilmore wrote:
>> * koji and the source lookaside were changed to use kerberos
>> authentication
>> instead of ssl certificates. All maintainers will need to:
>>
>> kinit your-fas-accountn...@fedoraaproject.org
>>
>> to get a valid kerberos TGT and be able to authenticate to koji and
>> the lookaside upload cgi.
>
> KDE users may find this useful - I've started using the newly packaged
> kwalletcli to do:
Cool, would be nice add it into wiki:
https://fedoraproject.org/wiki/Infrastructure/Kerberos
>
> $ cat ~/.kde/Autostart/kinit.desktop
> [Desktop Entry]
> Comment[en_US]=
> Comment=
> Exec=bash -c 'kwalletcli -f Passwords -e or...@fedoraproject.org | kinit
> or...@fedoraproject.org;kswitch -p m...@domain.com'
> GenericName[en_US]=Initialize Fedora Kerberos
> GenericName=Initialize Fedora Kerberos
> MimeType=
> Name[en_US]=kinit
> Name=kinit
> Path=
> StartupNotify=false
> Terminal=false
> TerminalOptions=
> Type=Application
> X-DBUS-ServiceName=
> X-DBUS-StartupType=
> X-KDE-SubstituteUID=false
> X-KDE-Username=
> name[en_US]=Kinit
>
> After storing the password in the wallet's "Passwords" directory under my
> principal name.
>
> I find that I have to also kswitch back to my local principal for NFS to work
> for me at work.
>
> --
> Orion Poplawski
> Technical Manager  720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane   or...@nwra.com
> Boulder, CO 80301   http://www.nwra.com
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org



-- 
-Igor Gnatenko
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes - KDE wallet kinit

[Orion Poplawski]

On 12/11/2016 05:34 PM, Dennis Gilmore wrote:
> * koji and the source lookaside were changed to use kerberos
> authentication
> instead of ssl certificates. All maintainers will need to:
> 
> kinit your-fas-accountn...@fedoraaproject.org
> 
> to get a valid kerberos TGT and be able to authenticate to koji and 
> the lookaside upload cgi. 

KDE users may find this useful - I've started using the newly packaged
kwalletcli to do:

$ cat ~/.kde/Autostart/kinit.desktop
[Desktop Entry]
Comment[en_US]=
Comment=
Exec=bash -c 'kwalletcli -f Passwords -e or...@fedoraproject.org | kinit
or...@fedoraproject.org;kswitch -p m...@domain.com'
GenericName[en_US]=Initialize Fedora Kerberos
GenericName=Initialize Fedora Kerberos
MimeType=
Name[en_US]=kinit
Name=kinit
Path=
StartupNotify=false
Terminal=false
TerminalOptions=
Type=Application
X-DBUS-ServiceName=
X-DBUS-StartupType=
X-KDE-SubstituteUID=false
X-KDE-Username=
name[en_US]=Kinit

After storing the password in the wallet's "Passwords" directory under my
principal name.

I find that I have to also kswitch back to my local principal for NFS to work
for me at work.

-- 
Orion Poplawski
Technical Manager  720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane   or...@nwra.com
Boulder, CO 80301   http://www.nwra.com
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Tue, 27 Dec 2016 19:13:39 -0600
Michael Catanzaro  wrote:

> Hi,
> 
> I tried again today, but still having problems. When I try from the
> command line:
> 
> $ kinit catanz...@fedoraproject.org
> Password for catanz...@fedoraproject.org: 
> kinit: Password incorrect while getting initial credentials
> 
> But I know my password is correct, because I just used it to log into
> Bodhi.
> 
> When trying with gnome-online-accounts, I get this error:
> 
> "Error connecting to enterprise identity server: Decrypt integrity
> check failed"

So, things to check: 

* Does your /etc/krb5.conf file have a
includedir /etc/krb5.conf.d/
at the top?

* Does your /etc/krb5.conf file have: 
 rdns = false

(it might be you have a /etc/krb5.conf.rpmnew if you modified the file)

If those things don't work, please open a infrastructure ticket or stop
by #fedora-admin and we can get it tracked down. 

kevin


pgpml6odmiZYN.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Mattia Verga]

Il 28/12/2016 02:13, Michael Catanzaro ha scritto:


Hi,

I tried again today, but still having problems. When I try from the
command line:

$ kinit catanz...@fedoraproject.org
Password for catanz...@fedoraproject.org:
kinit: Password incorrect while getting initial credentials

But I know my password is correct, because I just used it to log into
Bodhi.

When trying with gnome-online-accounts, I get this error:

"Error connecting to enterprise identity server: Decrypt integrity
check failed"

Michael
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
From 
https://fedoraproject.org/wiki/Infrastructure/Kerberos?rd=Infrastructure_kerberos_authentication 
:


*Question*: When I run kinit I get: Client 'yourn...@fedoraproject.org' 
not found in Kerberos database while getting initial credentials


*Answer*: Login to fas ( https://admin.fedoraproject.org/accounts ) and 
then retry. Your information needs to be synced from fas to the ipa 
server. Logging into fas does so.


*Question*: I did that (logged into FAS) in the last answer, and it 
didn't help, I still get the same error message. Whats going on?


*Answer*: For some small number of users there may be some issue with 
syncing information from fas->ipa. If this happens to you, please file 
an infrastructure ticket or talk with us on #fedora-admin and we can 
manually fix things.


Cheers,
Mattia
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Michael Catanzaro]

On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> koji and the source lookaside were changed to use kerberos
> authentication
> instead of ssl certificates. All maintainers will need to:
> 
> kinit your-fas-accountn...@fedoraaproject.org
> 
> to get a valid kerberos TGT and be able to authenticate to koji and 
> the lookaside upload cgi. 
> 
> See the general kerberos information at: 
> https://fedoraproject.org/wiki/Infrastructure_kerberos_authentication
> for more details.

Hi,

I tried again today, but still having problems. When I try from the
command line:

$ kinit catanz...@fedoraproject.org
Password for catanz...@fedoraproject.org: 
kinit: Password incorrect while getting initial credentials

But I know my password is correct, because I just used it to log into
Bodhi.

When trying with gnome-online-accounts, I get this error:

"Error connecting to enterprise identity server: Decrypt integrity
check failed"

Michael
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Adam Williamson]

On December 15, 2016 8:06:00 PM PST, Steve Grubb  wrote:
>On Sunday, December 11, 2016 6:34:38 PM EST Dennis Gilmore wrote:
>> Greetings. 
>> 
>> As previously announced, releng has made a number of changes as part
>of
>> it's 2016 "flag day". 
>> 
>> All package maintainers will want to make sure they have updated to
>> the following package versions (some may be in testing as of this
>email):
>> 
>>  python-cccolutils-1.4-1
>>  fedpkg-1.26-2
>>  fedora-packager-0.6.0.0-1
>>  pyrpkg-1.47-3
>>  koji-1.11.0-1
>> 
>> Please also see the following links for up to date information: 
>> 
>> https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016
>
>I have been trying to build a package for a couple hours to no avail.
>There 
>are a whole bunch of emails saying how it doesn't work for various 
>configurations. Could this page please be updated with what the final
>recipe is? 
>I need to build packages and do other things instead of debug this. The
>
>packages are not even in stable yet and we block building?
>
>-Steve
>___
>devel mailing list -- devel@lists.fedoraproject.org
>To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Well, no, plenty of people have built plenty of packages since yesterday, as is 
obvious from koji if you just look at it. If you give more details I'm sure 
people can help, but it's clearly not true that anyone is "blocking building".
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin DOT net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Steve Grubb]

On Sunday, December 11, 2016 6:34:38 PM EST Dennis Gilmore wrote:
> Greetings. 
> 
> As previously announced, releng has made a number of changes as part of
> it's 2016 "flag day". 
> 
> All package maintainers will want to make sure they have updated to
> the following package versions (some may be in testing as of this email):
> 
>  python-cccolutils-1.4-1
>  fedpkg-1.26-2
>  fedora-packager-0.6.0.0-1
>  pyrpkg-1.47-3
>  koji-1.11.0-1
> 
> Please also see the following links for up to date information: 
> 
> https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016

I have been trying to build a package for a couple hours to no avail. There 
are a whole bunch of emails saying how it doesn't work for various 
configurations. Could this page please be updated with what the final recipe 
is? 
I need to build packages and do other things instead of debug this. The 
packages are not even in stable yet and we block building?

-Steve
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[David Woodhouse]

On Wed, 2016-12-14 at 09:43 -0700, Kevin Fenzi wrote:
> 
> I think we got this sorted out on IRC. 

Indeed we did. It required newer versions of the packages that had been
listed, which presumably will be in stable updates some time soon.

> David: if you still see a problem, please let us know. 

Thanks.

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[gil]

Il 12/12/2016 05:20, Chenxiong Qi ha scritto:

hi
i get:
aesh]$ fedpkg build
/usr/lib/python2.7/site-packages/pyrpkg/__init__.py:314:
DeprecationWarning: BaseException.message has been deprecated as of
Python 2.6
  for (_, _, ssl_reason) in error.message:
You might want to run fedora-packager-setup to regenerate SSL
certificate. For more info see
https://fedoraproject.org/wiki/Using_the_Koji_build_system#Fedora_Account_System_.28FAS2.29_Setup 



Could not execute build: Could not auth with koji. Login failed: [('SSL
routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

my "certs" are just refreshed



[gil@localhost ~]$ klist -e
klist: Credentials cache keyring 'persistent:1000:1000' not found
[gil@localhost ~]$ KRB5_TRACE=/dev/stderr koji hello
Kerberos authentication failed: No credentials cache found (-1765328189)
[gil@localhost ~]$ KRB5_TRACE=/dev/stdout kinit g...@fedoraproject.org
[1834] 1481778683.923486: Getting initial credentials for 
g...@fedoraproject.org

[1834] 1481778683.936011: Sending request (194 bytes) to FEDORAPROJECT.ORG
[1834] 1481778683.955383: Resolving hostname id.fedoraproject.org
[1834] 1481778685.25: TLS certificate name matched 
"id.fedoraproject.org"

[1834] 1481778685.605098: Sending HTTPS request to https 174.141.234.172:443
[1834] 1481778686.224735: Received answer (270 bytes) from https 
174.141.234.172:443
[1834] 1481778686.224762: Terminating TCP connection to https 
174.141.234.172:443
[1834] 1481778686.226636: Terminating TCP connection to https 
152.19.134.142:443

[1834] 1481778686.230413: Response was not from master KDC
[1834] 1481778686.230479: Received error from KDC: 
-1765328359/Additional pre-authentication required

[1834] 1481778686.230522: Processing preauth types: 136, 19, 2, 133
[1834] 1481778686.230535: Selected etype info: etype aes256-cts, salt 
"<\dUU>-'9OMNb")7", params ""

[1834] 1481778686.230543: Received cookie: MIT
Password for g...@fedoraproject.org:
[1834] 1481778715.693981: AS key obtained for encrypted timestamp: 
aes256-cts/9D63
[1834] 1481778715.694042: Encrypted timestamp (for 1481778715.382358): 
plain 301AA011180F32303136313231353035313135355AA105020305D596, 
encrypted 
1D20CD245821CEDD6BD6478C87D87842C27BAB03D6DF2AB3C7E99299117D3BAFCD73D69E120E0398AC464731231A36C8471C46B3457660E5
[1834] 1481778715.694068: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success

[1834] 1481778715.694075: Produced preauth for next request: 133, 2
[1834] 1481778715.694164: Sending request (289 bytes) to FEDORAPROJECT.ORG
[1834] 1481778715.694206: Resolving hostname id.fedoraproject.org
[1834] 1481778716.747833: TLS certificate name matched 
"id.fedoraproject.org"

[1834] 1481778717.98100: Sending HTTPS request to https 174.141.234.172:443
[1834] 1481778717.732801: Received answer (800 bytes) from https 
174.141.234.172:443
[1834] 1481778717.732829: Terminating TCP connection to https 
174.141.234.172:443
[1834] 1481778717.734651: Terminating TCP connection to https 
152.19.134.142:443

[1834] 1481778717.736486: Response was not from master KDC
[1834] 1481778717.736653: Processing preauth types: 19
[1834] 1481778717.736671: Selected etype info: etype aes256-cts, salt 
"<\dUU>-'9OMNb")7", params ""

[1834] 1481778717.736678: Produced preauth for next request: (empty)
[1834] 1481778717.736692: AS key determined by preauth: aes256-cts/9D63
[1834] 1481778717.738675: Decrypted AS reply; session key is: 
aes256-cts/AE3F

[1834] 1481778717.738714: FAST negotiation: available
[1834] 1481778717.738745: Initializing KEYRING:persistent:1000:1000 with 
default princ g...@fedoraproject.org
[1834] 1481778717.738805: Storing g...@fedoraproject.org -> 
krbtgt/fedoraproject@fedoraproject.org in KEYRING:persistent:1000:1000
[1834] 1481778717.739138: Storing config in KEYRING:persistent:1000:1000 
for krbtgt/fedoraproject@fedoraproject.org: fast_avail: yes
[1834] 1481778717.739167: Storing g...@fedoraproject.org -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: 
in KEYRING:persistent:1000:1000
[1834] 1481778717.739240: Storing config in KEYRING:persistent:1000:1000 
for krbtgt/fedoraproject@fedoraproject.org: pa_type: 2
[1834] 1481778717.739260: Storing g...@fedoraproject.org -> 
krb5_ccache_conf_data/pa_type/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: 
in KEYRING:persistent:1000:1000

[gil@localhost ~]$ KRB5_TRACE=/dev/stderr koji hello
[1836] 1481778754.88097: Getting credentials g...@fedoraproject.org -> 
host/koji.fedoraproject@fedoraproject.org using ccache 
KEYRING:persistent:1000:1000
[1836] 1481778754.88234: Retrieving g...@fedoraproject.org -> 
host/koji.fedoraproject@fedoraproject.org from 
KEYRING:persistent:1000:1000 with result: -1765328243/Matching 
credential not found
[1836] 1481778754.88292: Retrieving g...@fedoraproject.org -> 
krbtgt/fedoraproject@fedoraproject.org from 
KEYRING:persistent:1000:1000 with result: 0/Success
[1836] 

Re: Packagers - Flag day 2016 Important changes

[Stephen Gallagher]

On 12/14/2016 11:40 AM, Kevin Fenzi wrote:
> On Wed, 14 Dec 2016 09:21:37 -0500
> Stephen Gallagher  wrote:
> 
>> On 12/14/2016 09:19 AM, Dave Love wrote:
>>> Kevin Fenzi  writes:
>>>   
 On Tue, 13 Dec 2016 14:36:06 +
 Dave Love  wrote:
  
> Simo Sorce  writes:
>  
>> If you really need to automate it because typing a password is
>> too hard: cat ~/.mykrbpassword | kinit myusername
>
> It needs to be automated principally because the password is not
> memorable.  I assume infrastructure people would rather we don't
> use the least secure credentials we can.  

 I can't speak for others, but the thought of putting your fas
 password in plain text in some start up file makes me cry.  
>>>
>>> Yes, but if people can read it and it only has owner access they
>>> could have stolen the certificate, possibly can steal your ccache,
> 
> Well, the old koji cert was only good to auth against koji or lookaside
> upload. Your FAS password could be used to login to your FAS account,
> change the ssh key (although this sends email) and push changes to git. 
> 
> If you are using the default kerberos cache (the linux kernel keyring),
> I think it may be possible to copy your tickets to another machine, but
> it's definitely not trivial (not like scp .fedora.cert). It might
> require root access also. I am not sure. Does anyone know how it uses
> the linux kernel keyring here?
> 

It basically just writes to the user's personal keyring which is readable by any
process owned by that user. It maintains its own internal representation of the
key material, so you probably cannot just directly copy it in any way. I think
you can probably write a tool using libkrb5 that would extract it into a
file-based ccache if you really wanted to, but honestly it would be *far* easier
to just switch to a FILE: or DIR: cache if that's something you wanted to be
able to do.


>>> and bets are off.  A keytab isn't plain text, but isn't encrypted;
>>> it's used as "kinit -t " with Heimdal and something similar
>>> with MIT. However, I now can't remember whether you need kadmin
>>> access to populate it, and don't know if that's available.
>>>   
>>
>> You do not; you can manipulate a keytab in your local user space with
>> `ktutil`
> 
> Yep. But note that a keytab can easily be copied away to other
> machines. Which might be an advantage or a disadvantage depending on
> what you are trying to do. 
> 

Right; a keytab is really just a specialized format for keeping plaintext
passwords in a file (though it's storing the real key, not the password that
hashes to that key).



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Adam Williamson]

On Wed, 2016-12-14 at 09:48 -0800, Adam Williamson wrote:
> On Tue, 2016-12-13 at 12:19 +0200, Alexander Bokovoy wrote:
> > However, default Fedora 25 configuration[1] does not set the default ccache
> > name to a collection, only FreeIPA client installer does this.
> 
> Could we change that?

Never mind - should have read one message further in the thread...
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Adam Williamson]

On Tue, 2016-12-13 at 18:52 +, Tom Hughes wrote:
> On 13/12/16 18:19, Simo Sorce wrote:
> > On Tue, 2016-12-13 at 14:36 +, Dave Love wrote:
> > > Simo Sorce  writes:
> > > 
> > > > If you really need to automate it because typing a password is too hard:
> > > > cat ~/.mykrbpassword | kinit myusername
> > > 
> > > It needs to be automated principally because the password is not
> > > memorable.  I assume infrastructure people would rather we don't use the
> > > least secure credentials we can.
> > 
> > It is the same password you had to use every day to access services like
> > bodhi, pkgdb, fas, etc...
> 
> Yes, the 16 character random one that is known to my browser's password 
> manager but not to me unless I look it up. So yes I do "use" it all the 
> time but only in as much as I hit the login button on my browser's 
> toolbar and it sends it to the web site.

Why not use a decent login manager, that makes it easy to look up
passwords, rather than the (usually fairly bad) ones built into web
browsers?

I use lastpass, but if I was starting over I'd probably use pass:

https://www.passwordstore.org/

there are other options too. I don't find it at all difficult to go to
the (pinned) LastPass tab in my browser, type 'fedora' in the search
box to find my FAS password, and right-click / 'copy password' to copy
it to the clipboard.

For your case (working from a remote console), pass looks especially
suitable.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Adam Williamson]

On Tue, 2016-12-13 at 12:19 +0200, Alexander Bokovoy wrote:
> However, default Fedora 25 configuration[1] does not set the default ccache
> name to a collection, only FreeIPA client installer does this.

Could we change that?
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Adam Williamson]

On Tue, 2016-12-13 at 13:23 +0100, Dan Horák wrote:
> > krb5-auth-dialog directly uses krb5 API, not GSSAPI, so your only
> > choice with it is to use 'kswitch' utility to explicitly switch
> > credential cache prior to use of the krb5-auth-dialog.
> 
> thanks for the explanation

This looks a lot like something gnome-online-accounts should just do,
though. If you open up GOA you can see it already knows whether or not
a Kerberos account needs re-auth; surely it wouldn't be hard to just
have it optionally pop up a notification when the TGT expires and let
you click it to re-auth?
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Tue, 13 Dec 2016 21:40:20 +
David Woodhouse  wrote:

> On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> > All package maintainers will want to make sure they have updated to
> > the 
> > following package versions (some may be in testing as of this
> > email):
> > 
> >  python-cccolutils-1.4-1
> >  fedpkg-1.26-2
> >  fedora-packager-0.6.0.0-1
> >  pyrpkg-1.47-3
> >  koji-1.11.0-1  
> 
> [dwoodhou@i7 master]$ rpm -q python3-cccolutils fedpkg
> fedora-packager pyrpkg koji python3-cccolutils-1.4-1.fc25.x86_64
> fedpkg-1.26-2.fc26.noarch
> fedora-packager-0.6.0.0-1.fc25.noarch
> pyrpkg-1.47-3.fc26.noarch
> koji-1.11.0-1.fc25.noarch
> [dwoodhou@i7 master]$ fedpkg -vd build
...snip...

I think we got this sorted out on IRC. 

David: if you still see a problem, please let us know. 

kevin




pgp2s00RSksKS.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Wed, 14 Dec 2016 14:25:07 +
Dave Love  wrote:

> Simo Sorce  writes:
> 
> > But I am not sure why you would need to forward your user
> > credentials to servers normally. Did you copy your certs everywhere
> > before ? I would think the normal case is that people have 1
> > development machine where they handle packaging.  
> 
> Some people use "Enterprise Linux" (ugh) server systems in
> "enterprises" which have Kerberized services -- like networked home
> filestores, where the old certificate is.  (I did copy the
> credentials with Firefox sync.) OK, Red Hat people think we shouldn't
> work that way, and apparently now can't, but that's why.

"Red Hat people" ? 

> For what it's worth, I'm typing at a 2GB core2 Ubuntu box and do
> development on an RHEL HPC node which is probably an order of
> magnitude better all round (even without running an arbitrary number
> of build processes, though the compute nodes aren't actual RHEL).
> Doubtless I'm not most people, but I guess I'm somewhat
> representative in this supposedly important area that it seems I
> shouldn't be trying to support for Red Hat.

In this case you should simply be able to kinit on the RHEL node you
wish to push changes/builds from?

kevin


pgp76sUpVluoz.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Wed, 14 Dec 2016 13:21:50 +0200
Alexander Bokovoy  wrote:

> I cannot tell of how Fedora Infrastructure would use features
> available in FreeIPA, but at least on FreeIPA level we have support
> for multi-factor authentication on Kerberos level.
> 
> The use of it is a bit less convenient right now for secondary cases
> where you are not utilizing your Kerberos infrastructure for a system
> logon directly but we are working on improvements to Kerberos initial
> ticket exchange that will make it easier. Right now you have to have
> an initial ticket created with some other means to provide a secure
> channel between the client and the KDC to exchange second factor
> information. This *other* initial ticket is typically your machine's
> account in case of enrolled computers (like "normal" FreeIPA client)
> or an anonymous PKINIT-based authenticated principal. With SPAKE
> exchange this will be replaced by a more secure exchange that
> requires no additional communication/channels.
> 
> It is far away yet, may be Fedora 26/27 time frame, but this gives us
> also time to improve other tooling around the user experience -- GNOME
> Online accounts and the rest of tools not directly involved into a
> system level logon flow.

We definitely plan to enable/use 2fa with Kerberos down the road. 

kevin




pgpT5qPUvCb70.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Wed, 14 Dec 2016 09:21:37 -0500
Stephen Gallagher  wrote:

> On 12/14/2016 09:19 AM, Dave Love wrote:
> > Kevin Fenzi  writes:
> >   
> >> On Tue, 13 Dec 2016 14:36:06 +
> >> Dave Love  wrote:
> >>  
> >>> Simo Sorce  writes:
> >>>  
>  If you really need to automate it because typing a password is
>  too hard: cat ~/.mykrbpassword | kinit myusername
> >>>
> >>> It needs to be automated principally because the password is not
> >>> memorable.  I assume infrastructure people would rather we don't
> >>> use the least secure credentials we can.  
> >>
> >> I can't speak for others, but the thought of putting your fas
> >> password in plain text in some start up file makes me cry.  
> > 
> > Yes, but if people can read it and it only has owner access they
> > could have stolen the certificate, possibly can steal your ccache,

Well, the old koji cert was only good to auth against koji or lookaside
upload. Your FAS password could be used to login to your FAS account,
change the ssh key (although this sends email) and push changes to git. 

If you are using the default kerberos cache (the linux kernel keyring),
I think it may be possible to copy your tickets to another machine, but
it's definitely not trivial (not like scp .fedora.cert). It might
require root access also. I am not sure. Does anyone know how it uses
the linux kernel keyring here?

> > and bets are off.  A keytab isn't plain text, but isn't encrypted;
> > it's used as "kinit -t " with Heimdal and something similar
> > with MIT. However, I now can't remember whether you need kadmin
> > access to populate it, and don't know if that's available.
> >   
> 
> You do not; you can manipulate a keytab in your local user space with
> `ktutil`

Yep. But note that a keytab can easily be copied away to other
machines. Which might be an advantage or a disadvantage depending on
what you are trying to do. 

kevin


pgp87ntbFgkY4.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Pavel Valena]

- Original Message -
> From: "Randy Barlow" <bowlofe...@fedoraproject.org>
> To: devel@lists.fedoraproject.org
> Sent: Wednesday, December 14, 2016 5:45:29 AM
> Subject: Re: Packagers - Flag day 2016 Important changes
> 
> On Mon, 2016-12-12 at 14:33 -0700, Kevin Fenzi wrote:
> > First, I'll note you don't need to get a new ticket every day, you
> > can
> > just renew with 'kinit -R'. I am not sure what env kinit needs, but
> > you
> > may even be able to do this from a cron job. That will work for 1
> > week.
> 
> You can even use systemd timers to do it! You can make these files:
> 
> [rbarlow@ohm ~]$ cat ~/.config/systemd/user/kinit-R.service
> [Unit]
> Description=Renew Kerberos ticket
> 
> [Service]
> ExecStart=/usr/bin/kinit -R
> Type=oneshot
> 
> [Install]
> WantedBy=default.target
> [rbarlow@ohm ~]$ cat ~/.config/systemd/user/kinit-R.timer
> [Unit]
> Description=Renew Kerberos ticket every four hours
> 
> [Timer]
> OnBootSec=15min
> OnUnitActiveSec=4h
> 
> [Install]
> WantedBy=timers.target
> 
> Then you need to enable the timer:
> 
> $ systemctl --user enable kinit-R.timer
> 
> Hope that helps!

Alternatively you can use `krenew`[1] command which can do periodical renewal 
(if needed) and can run in background(`krenew -i -K 60 -L -b` WFM).

It's packaged in `kstart` package.

[1] https://linux.die.net/man/1/krenew

Pavel Valena
Associate Software Engineer
Brno, Czech Republic

RED HAT | TRIED. TESTED. TRUSTED.
All of the airlines in the Fortune Global 500 rely on Red Hat.
Find out why at Trusted | Red Hat

<http://www.redhat.com/en/about/trusted>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Vít Ondruch]

Dne 13.12.2016 v 22:40 David Woodhouse napsal(a):
> On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
>> All package maintainers will want to make sure they have updated to
>> the 
>> following package versions (some may be in testing as of this email):
>>
>>  python-cccolutils-1.4-1
>>  fedpkg-1.26-2
>>  fedora-packager-0.6.0.0-1
>>  pyrpkg-1.47-3
>>  koji-1.11.0-1
> [dwoodhou@i7 master]$ rpm -q python3-cccolutils fedpkg fedora-packager pyrpkg 
> koji

s/python3-cccolutils/python2-cccolutils/

?


Vít 


> python3-cccolutils-1.4-1.fc25.x86_64
> fedpkg-1.26-2.fc26.noarch
> fedora-packager-0.6.0.0-1.fc25.noarch
> pyrpkg-1.47-3.fc26.noarch
> koji-1.11.0-1.fc25.noarch
> [dwoodhou@i7 master]$ fedpkg -vd build
> Creating repo object from /home/dwmw2/fedora/openconnect/master
> Your git configuration does not use a namespace.
> Consider updating your git configuration by running:
> Could not read Fedora cert, falling back to default method: !!!cannot 
> read your ~/.fedora.cert file   !!!
> !!! Ensure the file is readable and try again !!!
>   git remote set-url origin 
> ssh://dwood...@pkgs.fedoraproject.org/rpms/openconnect
> Initiating a koji session to https://koji.fedoraproject.org/kojihub
> Could not execute build: (-1765328370, 'KDC has no support for encryption 
> type')
> Traceback (most recent call last):
>   File "/usr/bin/fedpkg", line 16, in 
> main()
>   File "/usr/lib/python2.7/site-packages/fedpkg/__main__.py", line 77, in main
> sys.exit(client.args.command())
>   File "/usr/lib/python2.7/site-packages/pyrpkg/cli.py", line 988, in build
> sets, nvr_check)
>   File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 1877, in 
> build
> build_target = self.kojisession.getBuildTarget(self.target)
>   File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 216, in 
> kojisession
> self.load_kojisession()
>   File "/usr/lib/python2.7/site-packages/fedpkg/__init__.py", line 314, in 
> load_kojisession
> return super(Commands, self).load_kojisession(anon)
>   File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 378, in 
> load_kojisession
> self.login_koji_session(koji_config, self._kojisession)
>   File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 345, in 
> login_koji_session
> session.krb_login(proxyuser=self.runas)
>   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2087, in 
> krb_login
> options=krbV.AP_OPTS_MUTUAL_REQUIRED)
> krbV.Krb5Error: (-1765328370, 'KDC has no support for encryption type')
> [dwoodhou@i7 master]$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: dw...@fedoraproject.org
>
> Valid starting ExpiresService principal
> 13/12/16 12:40:44  14/12/16 12:40:41  
> krbtgt/fedoraproject@fedoraproject.org
>   renew until 20/12/16 12:40:41, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> 13/12/16 13:09:10  14/12/16 12:40:41  HTTP/proxy10.fedoraproject.org@
>   renew until 20/12/16 12:40:41, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> 13/12/16 13:09:10  14/12/16 12:40:41  
> HTTP/proxy10.fedoraproject@fedoraproject.org
>   renew until 20/12/16 12:40:41, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> 13/12/16 16:47:51  14/12/16 12:40:41  HTTP/proxy01.fedoraproject.org@
>   renew until 20/12/16 12:40:41, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> 13/12/16 16:47:51  14/12/16 12:40:41  
> HTTP/proxy01.fedoraproject@fedoraproject.org
>   renew until 20/12/16 12:40:41, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
> 13/12/16 16:47:52  14/12/16 12:40:41  
> host/koji.fedoraproject@fedoraproject.org
>   renew until 20/12/16 12:40:41, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
>
>
>
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Simo Sorce  writes:

> The krb5.conf is interchangeable if you use a subset of directives
> common to both, this directive is not common to both, therefore it is
> incompatible with Heimdal.

Obviously; sorry I pointed it out.

> Samba has been ported to MIT Kerberos for Fedora uses, and the ability
> to support more advanced ccaches was one of the reasons.
>
>> I did actually ask about Heimdal initially.
>
> Sorry but we do not use Heimdal in the distro so I do not see why that
> would be a concern.
>
> Simo.

"We" may not use it "in the [RHEL?] distro", but that applies to all
this development stuff from the Fedora repos.  Maybe we should expurgate
Heimdal after 20+ (?) years, even if there's local policy, but then RHEL
krb5 fails in this context anyhow.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Simo Sorce  writes:

> But I am not sure why you would need to forward your user credentials to
> servers normally. Did you copy your certs everywhere before ? I would
> think the normal case is that people have 1 development machine where
> they handle packaging.

Some people use "Enterprise Linux" (ugh) server systems in "enterprises"
which have Kerberized services -- like networked home filestores, where
the old certificate is.  (I did copy the credentials with Firefox sync.)
OK, Red Hat people think we shouldn't work that way, and apparently now
can't, but that's why.

For what it's worth, I'm typing at a 2GB core2 Ubuntu box and do
development on an RHEL HPC node which is probably an order of magnitude
better all round (even without running an arbitrary number of build
processes, though the compute nodes aren't actual RHEL).  Doubtless I'm
not most people, but I guess I'm somewhat representative in this
supposedly important area that it seems I shouldn't be trying to support
for Red Hat.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Stephen Gallagher]

On 12/14/2016 09:19 AM, Dave Love wrote:
> Kevin Fenzi  writes:
> 
>> On Tue, 13 Dec 2016 14:36:06 +
>> Dave Love  wrote:
>>
>>> Simo Sorce  writes:
>>>
 If you really need to automate it because typing a password is too
 hard: cat ~/.mykrbpassword | kinit myusername  
>>>
>>> It needs to be automated principally because the password is not
>>> memorable.  I assume infrastructure people would rather we don't use
>>> the least secure credentials we can.
>>
>> I can't speak for others, but the thought of putting your fas password
>> in plain text in some start up file makes me cry.
> 
> Yes, but if people can read it and it only has owner access they could
> have stolen the certificate, possibly can steal your ccache, and bets
> are off.  A keytab isn't plain text, but isn't encrypted; it's used as
> "kinit -t " with Heimdal and something similar with MIT.
> However, I now can't remember whether you need kadmin access to populate
> it, and don't know if that's available.
> 

You do not; you can manipulate a keytab in your local user space with `ktutil`




signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Kevin Fenzi  writes:

> On Tue, 13 Dec 2016 14:36:06 +
> Dave Love  wrote:
>
>> Simo Sorce  writes:
>> 
>> > If you really need to automate it because typing a password is too
>> > hard: cat ~/.mykrbpassword | kinit myusername  
>> 
>> It needs to be automated principally because the password is not
>> memorable.  I assume infrastructure people would rather we don't use
>> the least secure credentials we can.
>
> I can't speak for others, but the thought of putting your fas password
> in plain text in some start up file makes me cry.

Yes, but if people can read it and it only has owner access they could
have stolen the certificate, possibly can steal your ccache, and bets
are off.  A keytab isn't plain text, but isn't encrypted; it's used as
"kinit -t " with Heimdal and something similar with MIT.
However, I now can't remember whether you need kadmin access to populate
it, and don't know if that's available.

> I cannot of course
> tell anyone what to do, but I can beg you not to do this. 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ke, 14 joulu 2016, Petr Mensik wrote:

That sounds like way to use (sort of) certificates again. With updated
realmd package I can now save fedora account password into Gnome
keyring. But...

I thought about it yesterday, but did not dare to ask. Are not password
less strong kind of authentication that keys? We have SSH keys, we had
generated certificates until now. Now only passwords backed by
Kerberos. Sure, Kerberos is not simple password system sending
plaintext over network. Anyway, is there planned way to obtain main
kerberos ticket for fedoraproject.org by something stronger than
password?

I cannot tell of how Fedora Infrastructure would use features available
in FreeIPA, but at least on FreeIPA level we have support for
multi-factor authentication on Kerberos level.

The use of it is a bit less convenient right now for secondary cases
where you are not utilizing your Kerberos infrastructure for a system
logon directly but we are working on improvements to Kerberos initial
ticket exchange that will make it easier. Right now you have to have an
initial ticket created with some other means to provide a secure channel
between the client and the KDC to exchange second factor information.
This *other* initial ticket is typically your machine's account in case
of enrolled computers (like "normal" FreeIPA client) or an anonymous
PKINIT-based authenticated principal. With SPAKE exchange this will be
replaced by a more secure exchange that requires no additional
communication/channels.

It is far away yet, may be Fedora 26/27 time frame, but this gives us
also time to improve other tooling around the user experience -- GNOME
Online accounts and the rest of tools not directly involved into a
system level logon flow.

--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Petr Mensik]

That sounds like way to use (sort of) certificates again. With updated realmd 
package I can now save fedora account password into Gnome keyring. But...

I thought about it yesterday, but did not dare to ask. Are not password less 
strong kind of authentication that keys? We have SSH keys, we had generated 
certificates until now. Now only passwords backed by Kerberos. Sure, Kerberos 
is not simple password system sending plaintext over network. Anyway, is there 
planned way to obtain main kerberos ticket for fedoraproject.org by something 
stronger than password?

--
Petr Menšík

- Original Message -
From: "Petr Spacek" <pspa...@redhat.com>
To: devel@lists.fedoraproject.org
Sent: Wednesday, December 14, 2016 8:34:17 AM
Subject: Re: Packagers - Flag day 2016 Important changes

On 13.12.2016 22:57, Tom Hughes wrote:
> On 13/12/16 21:32, Simo Sorce wrote:
>> On Tue, 2016-12-13 at 18:52 +, Tom Hughes wrote:
>>
>>> The main goal of long random passwords after all is about a combination
>>> of making them hard to brute force and ensuring that every service has a
>>> unique password to guard against credential reuse attacks when one of
>>> the many services everybody has logins for experiences the inevitable
>>> loss of their poorly secured database.
>>>
>>> I always find it somewhat depressing that the more sophisticated a login
>>> system becomes the worse my security on it seems to get because I wind
>>> up having to use weaker passwords. Banks are the classic example because
>>> they rarely have a straightforward password even as one part of their
>>> authentication but anything that means I have to remember a password
>>> hits the same problem.
>>
>> Don't remember it if it bothers you, why do you use a double standard if
>> the password is not sent via browser but through a CLI ?
> 
> It's an interesting question, and the first thing I'd say is that there are
> actually very few passwords that I enter at a CLI at all. Once I've unlocked
> gnome keyring by logging into my laptop or desktop it's mostly only when I
> want to sudo as other things tend to be by ssh public key auth from my 
> keyring.
> 
> I think the threat model is very different as well, at least for me, as the
> environments where I am entering a password for sudo for example are all ones
> which I control and where I know how the password database is stored while for
> web based logins I operate on the basis that I have no idea whether any given
> site has the sense to hash it's passwords or to adequately protect it's user
> database.
> 
> Obviously I'm sure the FAS database is properly protected but the ways of
> working I have developed are based around not assuming that for web logins
> hence why I switched to random passwords and a password manager many years 
> ago.
> 
> Anyway, it looks like like GOA with the realmd fix likely does what I want,
> which is good news.

Theoretically, if you really really want random password and never type it,
you can retrieve keytab for your account. The keytab file can contain e.g.
random 256 bit AES key so you will as safe as you can, assuming no attacker
can gain access to that file (which you assume already).

In Kerberized world this is usually done for machine/service accounts but
technically nothing prevents you from using the same method for your own 
account.

See man page for command ipa-getkeytab from package freeipa-client (or use
command kpasswd).

-- 
Petr Spacek  @  Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ke, 14 joulu 2016, Petr Spacek wrote:

On 13.12.2016 22:57, Tom Hughes wrote:

On 13/12/16 21:32, Simo Sorce wrote:

On Tue, 2016-12-13 at 18:52 +, Tom Hughes wrote:


The main goal of long random passwords after all is about a combination
of making them hard to brute force and ensuring that every service has a
unique password to guard against credential reuse attacks when one of
the many services everybody has logins for experiences the inevitable
loss of their poorly secured database.

I always find it somewhat depressing that the more sophisticated a login
system becomes the worse my security on it seems to get because I wind
up having to use weaker passwords. Banks are the classic example because
they rarely have a straightforward password even as one part of their
authentication but anything that means I have to remember a password
hits the same problem.


Don't remember it if it bothers you, why do you use a double standard if
the password is not sent via browser but through a CLI ?


It's an interesting question, and the first thing I'd say is that there are
actually very few passwords that I enter at a CLI at all. Once I've unlocked
gnome keyring by logging into my laptop or desktop it's mostly only when I
want to sudo as other things tend to be by ssh public key auth from my keyring.

I think the threat model is very different as well, at least for me, as the
environments where I am entering a password for sudo for example are all ones
which I control and where I know how the password database is stored while for
web based logins I operate on the basis that I have no idea whether any given
site has the sense to hash it's passwords or to adequately protect it's user
database.

Obviously I'm sure the FAS database is properly protected but the ways of
working I have developed are based around not assuming that for web logins
hence why I switched to random passwords and a password manager many years ago.

Anyway, it looks like like GOA with the realmd fix likely does what I want,
which is good news.


Theoretically, if you really really want random password and never type it,
you can retrieve keytab for your account. The keytab file can contain e.g.
random 256 bit AES key so you will as safe as you can, assuming no attacker
can gain access to that file (which you assume already).

In Kerberized world this is usually done for machine/service accounts but
technically nothing prevents you from using the same method for your own 
account.

See man page for command ipa-getkeytab from package freeipa-client (or use
command kpasswd).

We don't have access to FreeIPA LDAP or kpasswd interface in Fedora
Infrastructure. These aren't exposed publicly.

--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ti, 13 joulu 2016, David Woodhouse wrote:

On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:

All package maintainers will want to make sure they have updated to
the 
following package versions (some may be in testing as of this email):

 python-cccolutils-1.4-1
 fedpkg-1.26-2
 fedora-packager-0.6.0.0-1
 pyrpkg-1.47-3
 koji-1.11.0-1


[dwoodhou@i7 master]$ rpm -q python3-cccolutils fedpkg fedora-packager pyrpkg 
koji
python3-cccolutils-1.4-1.fc25.x86_64
fedpkg-1.26-2.fc26.noarch
fedora-packager-0.6.0.0-1.fc25.noarch
pyrpkg-1.47-3.fc26.noarch
koji-1.11.0-1.fc25.noarch
[dwoodhou@i7 master]$ fedpkg -vd build
Creating repo object from /home/dwmw2/fedora/openconnect/master
Your git configuration does not use a namespace.
Consider updating your git configuration by running:
Could not read Fedora cert, falling back to default method: !!!cannot read 
your ~/.fedora.cert file   !!!
!!! Ensure the file is readable and try again !!!
 git remote set-url origin 
ssh://dwood...@pkgs.fedoraproject.org/rpms/openconnect
Initiating a koji session to https://koji.fedoraproject.org/kojihub
Could not execute build: (-1765328370, 'KDC has no support for encryption type')
Traceback (most recent call last):
 File "/usr/bin/fedpkg", line 16, in 
   main()
 File "/usr/lib/python2.7/site-packages/fedpkg/__main__.py", line 77, in main
   sys.exit(client.args.command())
 File "/usr/lib/python2.7/site-packages/pyrpkg/cli.py", line 988, in build
   sets, nvr_check)
 File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 1877, in build
   build_target = self.kojisession.getBuildTarget(self.target)
 File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 216, in 
kojisession
   self.load_kojisession()
 File "/usr/lib/python2.7/site-packages/fedpkg/__init__.py", line 314, in 
load_kojisession
   return super(Commands, self).load_kojisession(anon)
 File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 378, in 
load_kojisession
   self.login_koji_session(koji_config, self._kojisession)
 File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 345, in 
login_koji_session
   session.krb_login(proxyuser=self.runas)
 File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2087, in 
krb_login
   options=krbV.AP_OPTS_MUTUAL_REQUIRED)
krbV.Krb5Error: (-1765328370, 'KDC has no support for encryption type')
[dwoodhou@i7 master]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dw...@fedoraproject.org

Valid starting ExpiresService principal
13/12/16 12:40:44  14/12/16 12:40:41  krbtgt/fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
13/12/16 13:09:10  14/12/16 12:40:41  HTTP/proxy10.fedoraproject.org@
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
13/12/16 13:09:10  14/12/16 12:40:41  
HTTP/proxy10.fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
13/12/16 16:47:51  14/12/16 12:40:41  HTTP/proxy01.fedoraproject.org@
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
13/12/16 16:47:51  14/12/16 12:40:41  
HTTP/proxy01.fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
13/12/16 16:47:52  14/12/16 12:40:41  
host/koji.fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Could you please show output of 
KRB5_TRACE=/dev/stderr koji hello


--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Petr Spacek]

On 13.12.2016 22:57, Tom Hughes wrote:
> On 13/12/16 21:32, Simo Sorce wrote:
>> On Tue, 2016-12-13 at 18:52 +, Tom Hughes wrote:
>>
>>> The main goal of long random passwords after all is about a combination
>>> of making them hard to brute force and ensuring that every service has a
>>> unique password to guard against credential reuse attacks when one of
>>> the many services everybody has logins for experiences the inevitable
>>> loss of their poorly secured database.
>>>
>>> I always find it somewhat depressing that the more sophisticated a login
>>> system becomes the worse my security on it seems to get because I wind
>>> up having to use weaker passwords. Banks are the classic example because
>>> they rarely have a straightforward password even as one part of their
>>> authentication but anything that means I have to remember a password
>>> hits the same problem.
>>
>> Don't remember it if it bothers you, why do you use a double standard if
>> the password is not sent via browser but through a CLI ?
> 
> It's an interesting question, and the first thing I'd say is that there are
> actually very few passwords that I enter at a CLI at all. Once I've unlocked
> gnome keyring by logging into my laptop or desktop it's mostly only when I
> want to sudo as other things tend to be by ssh public key auth from my 
> keyring.
> 
> I think the threat model is very different as well, at least for me, as the
> environments where I am entering a password for sudo for example are all ones
> which I control and where I know how the password database is stored while for
> web based logins I operate on the basis that I have no idea whether any given
> site has the sense to hash it's passwords or to adequately protect it's user
> database.
> 
> Obviously I'm sure the FAS database is properly protected but the ways of
> working I have developed are based around not assuming that for web logins
> hence why I switched to random passwords and a password manager many years 
> ago.
> 
> Anyway, it looks like like GOA with the realmd fix likely does what I want,
> which is good news.

Theoretically, if you really really want random password and never type it,
you can retrieve keytab for your account. The keytab file can contain e.g.
random 256 bit AES key so you will as safe as you can, assuming no attacker
can gain access to that file (which you assume already).

In Kerberized world this is usually done for machine/service accounts but
technically nothing prevents you from using the same method for your own 
account.

See man page for command ipa-getkeytab from package freeipa-client (or use
command kpasswd).

-- 
Petr Spacek  @  Red Hat
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Ralf Corsepius]

On 12/13/2016 07:19 PM, Simo Sorce wrote:

On Tue, 2016-12-13 at 14:36 +, Dave Love wrote:

Simo Sorce  writes:


If you really need to automate it because typing a password is too hard:
cat ~/.mykrbpassword | kinit myusername


It needs to be automated principally because the password is not
memorable.  I assume infrastructure people would rather we don't use the
least secure credentials we can.


It is the same password you had to use every day to access services like
bodhi, pkgdb, fas, etc...


Not quite.

I did not have to access it when working on packages in a git clone on 
with koji/git/fedpkg - Now I have to.


Ralf


___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Randy Barlow]

On Mon, 2016-12-12 at 14:33 -0700, Kevin Fenzi wrote:
> First, I'll note you don't need to get a new ticket every day, you
> can
> just renew with 'kinit -R'. I am not sure what env kinit needs, but
> you
> may even be able to do this from a cron job. That will work for 1
> week. 

You can even use systemd timers to do it! You can make these files:

[rbarlow@ohm ~]$ cat ~/.config/systemd/user/kinit-R.service 
[Unit]
Description=Renew Kerberos ticket

[Service]
ExecStart=/usr/bin/kinit -R
Type=oneshot

[Install]
WantedBy=default.target
[rbarlow@ohm ~]$ cat ~/.config/systemd/user/kinit-R.timer 
[Unit]
Description=Renew Kerberos ticket every four hours

[Timer]
OnBootSec=15min
OnUnitActiveSec=4h

[Install]
WantedBy=timers.target

Then you need to enable the timer:

$ systemctl --user enable kinit-R.timer

Hope that helps!

signature.asc
Description: This is a digitally signed message part
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Tom Hughes]

On 13/12/16 21:32, Simo Sorce wrote:

On Tue, 2016-12-13 at 18:52 +, Tom Hughes wrote:


The main goal of long random passwords after all is about a combination
of making them hard to brute force and ensuring that every service has a
unique password to guard against credential reuse attacks when one of
the many services everybody has logins for experiences the inevitable
loss of their poorly secured database.

I always find it somewhat depressing that the more sophisticated a login
system becomes the worse my security on it seems to get because I wind
up having to use weaker passwords. Banks are the classic example because
they rarely have a straightforward password even as one part of their
authentication but anything that means I have to remember a password
hits the same problem.


Don't remember it if it bothers you, why do you use a double standard if
the password is not sent via browser but through a CLI ?


It's an interesting question, and the first thing I'd say is that there 
are actually very few passwords that I enter at a CLI at all. Once I've 
unlocked gnome keyring by logging into my laptop or desktop it's mostly 
only when I want to sudo as other things tend to be by ssh public key 
auth from my keyring.


I think the threat model is very different as well, at least for me, as 
the environments where I am entering a password for sudo for example are 
all ones which I control and where I know how the password database is 
stored while for web based logins I operate on the basis that I have no 
idea whether any given site has the sense to hash it's passwords or to 
adequately protect it's user database.


Obviously I'm sure the FAS database is properly protected but the ways 
of working I have developed are based around not assuming that for web 
logins hence why I switched to random passwords and a password manager 
many years ago.


Anyway, it looks like like GOA with the realmd fix likely does what I 
want, which is good news.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[David Woodhouse]

On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> All package maintainers will want to make sure they have updated to
> the 
> following package versions (some may be in testing as of this email):
> 
>  python-cccolutils-1.4-1
>  fedpkg-1.26-2
>  fedora-packager-0.6.0.0-1
>  pyrpkg-1.47-3
>  koji-1.11.0-1

[dwoodhou@i7 master]$ rpm -q python3-cccolutils fedpkg fedora-packager pyrpkg 
koji
python3-cccolutils-1.4-1.fc25.x86_64
fedpkg-1.26-2.fc26.noarch
fedora-packager-0.6.0.0-1.fc25.noarch
pyrpkg-1.47-3.fc26.noarch
koji-1.11.0-1.fc25.noarch
[dwoodhou@i7 master]$ fedpkg -vd build
Creating repo object from /home/dwmw2/fedora/openconnect/master
Your git configuration does not use a namespace.
Consider updating your git configuration by running:
Could not read Fedora cert, falling back to default method: !!!cannot read 
your ~/.fedora.cert file   !!!
!!! Ensure the file is readable and try again !!!
  git remote set-url origin 
ssh://dwood...@pkgs.fedoraproject.org/rpms/openconnect
Initiating a koji session to https://koji.fedoraproject.org/kojihub
Could not execute build: (-1765328370, 'KDC has no support for encryption type')
Traceback (most recent call last):
  File "/usr/bin/fedpkg", line 16, in 
main()
  File "/usr/lib/python2.7/site-packages/fedpkg/__main__.py", line 77, in main
sys.exit(client.args.command())
  File "/usr/lib/python2.7/site-packages/pyrpkg/cli.py", line 988, in build
sets, nvr_check)
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 1877, in 
build
build_target = self.kojisession.getBuildTarget(self.target)
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 216, in 
kojisession
self.load_kojisession()
  File "/usr/lib/python2.7/site-packages/fedpkg/__init__.py", line 314, in 
load_kojisession
return super(Commands, self).load_kojisession(anon)
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 378, in 
load_kojisession
self.login_koji_session(koji_config, self._kojisession)
  File "/usr/lib/python2.7/site-packages/pyrpkg/__init__.py", line 345, in 
login_koji_session
session.krb_login(proxyuser=self.runas)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2087, in 
krb_login
options=krbV.AP_OPTS_MUTUAL_REQUIRED)
krbV.Krb5Error: (-1765328370, 'KDC has no support for encryption type')
[dwoodhou@i7 master]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dw...@fedoraproject.org

Valid starting ExpiresService principal
13/12/16 12:40:44  14/12/16 12:40:41  krbtgt/fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
13/12/16 13:09:10  14/12/16 12:40:41  HTTP/proxy10.fedoraproject.org@
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
13/12/16 13:09:10  14/12/16 12:40:41  
HTTP/proxy10.fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
13/12/16 16:47:51  14/12/16 12:40:41  HTTP/proxy01.fedoraproject.org@
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
13/12/16 16:47:51  14/12/16 12:40:41  
HTTP/proxy01.fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
13/12/16 16:47:52  14/12/16 12:40:41  
host/koji.fedoraproject@fedoraproject.org
renew until 20/12/16 12:40:41, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Simo Sorce]

On Tue, 2016-12-13 at 18:52 +, Tom Hughes wrote:
> On 13/12/16 18:19, Simo Sorce wrote:
> > On Tue, 2016-12-13 at 14:36 +, Dave Love wrote:
> >> Simo Sorce  writes:
> >>
> >>> If you really need to automate it because typing a password is too hard:
> >>> cat ~/.mykrbpassword | kinit myusername
> >>
> >> It needs to be automated principally because the password is not
> >> memorable.  I assume infrastructure people would rather we don't use the
> >> least secure credentials we can.
> >
> > It is the same password you had to use every day to access services like
> > bodhi, pkgdb, fas, etc...
> 
> Yes, the 16 character random one that is known to my browser's password 
> manager but not to me unless I look it up. So yes I do "use" it all the 
> time but only in as much as I hit the login button on my browser's 
> toolbar and it sends it to the web site.
> 
> > Now all those services are kerberized too (via OIDC IDP middleman) so
> > you can just kinit once and then access all those services w/o sending
> > password around, all in all I think it is a better situation.
> 
> Well yes that is probably another option, but it would still have to be 
> a weakened password to stand any chance of being memorable.

If you are ok storing it in the browser then you can store it elsewhere
and pipe it in kinit, I do not see a problem here.

> The main goal of long random passwords after all is about a combination 
> of making them hard to brute force and ensuring that every service has a 
> unique password to guard against credential reuse attacks when one of 
> the many services everybody has logins for experiences the inevitable 
> loss of their poorly secured database.
> 
> I always find it somewhat depressing that the more sophisticated a login 
> system becomes the worse my security on it seems to get because I wind 
> up having to use weaker passwords. Banks are the classic example because 
> they rarely have a straightforward password even as one part of their 
> authentication but anything that means I have to remember a password 
> hits the same problem.

Don't remember it if it bothers you, why do you use a double standard if
the password is not sent via browser but through a CLI ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ti, 13 joulu 2016, David Woodhouse wrote:

On Mon, 2016-12-12 at 10:53 +0100, Vít Ondruch wrote:

2) I needed to update a certificate every 6 months, now I need to kinit
every day. This is regression. How to make it work without kinit at all.
I am using SSSD for company kerberos and I don't need to kinit at all,
how to make this work for Fedora?


Maybe we could support PKINIT? :)

We just committed first parts of PKINIT support in FreeIPA git master.
I'm not sure Fedora Infrastructure will utilize that any time soon but
we certainly are getting there with upstream FreeIPA. ;)

--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Tom Hughes]

On 13/12/16 18:19, Simo Sorce wrote:

On Tue, 2016-12-13 at 14:36 +, Dave Love wrote:

Simo Sorce  writes:


If you really need to automate it because typing a password is too hard:
cat ~/.mykrbpassword | kinit myusername


It needs to be automated principally because the password is not
memorable.  I assume infrastructure people would rather we don't use the
least secure credentials we can.


It is the same password you had to use every day to access services like
bodhi, pkgdb, fas, etc...


Yes, the 16 character random one that is known to my browser's password 
manager but not to me unless I look it up. So yes I do "use" it all the 
time but only in as much as I hit the login button on my browser's 
toolbar and it sends it to the web site.



Now all those services are kerberized too (via OIDC IDP middleman) so
you can just kinit once and then access all those services w/o sending
password around, all in all I think it is a better situation.


Well yes that is probably another option, but it would still have to be 
a weakened password to stand any chance of being memorable.


The main goal of long random passwords after all is about a combination 
of making them hard to brute force and ensuring that every service has a 
unique password to guard against credential reuse attacks when one of 
the many services everybody has logins for experiences the inevitable 
loss of their poorly secured database.


I always find it somewhat depressing that the more sophisticated a login 
system becomes the worse my security on it seems to get because I wind 
up having to use weaker passwords. Banks are the classic example because 
they rarely have a straightforward password even as one part of their 
authentication but anything that means I have to remember a password 
hits the same problem.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Simo Sorce]

On Tue, 2016-12-13 at 14:35 +, Dave Love wrote:
> Simo Sorce  writes:
> 
> > On Tue, 2016-12-13 at 10:54 +, Dave Love wrote:
> >> Kevin Fenzi  writes:
> >> 
> >> > This is included in the fedora-packager-0.6.0 update. 
> >> >
> >> > Make sure your /etc/krb5.conf has the include to include them
> >> > from /etc/krb5.conf.d/ though
> >> 
> >> That will break Heimdal, for people who use that.
> >
> > Heimdal is not packaged in Fedora,
> 
> It clearly is, and I have the package installed.
> 
> > if you care for compiling and using
> > it yourself I am sure you can change the default ccache scheme as well.
> >
> > Simo.
> 
> Oh, please.  The above was nothing to do with ccache anyhow.  (I don't
> know how it works currently, but Samba4 used to be based on Heimdal, and
> I thought inherited that sort of thing.  When I last worked on it,
> krb5.conf was meant to be interchangeable.)

The krb5.conf is interchangeable if you use a subset of directives
common to both, this directive is not common to both, therefore it is
incompatible with Heimdal.
Samba has been ported to MIT Kerberos for Fedora uses, and the ability
to support more advanced ccaches was one of the reasons.

> I did actually ask about Heimdal initially.

Sorry but we do not use Heimdal in the distro so I do not see why that
would be a concern.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Simo Sorce]

On Tue, 2016-12-13 at 14:36 +, Dave Love wrote:
> Simo Sorce  writes:
> 
> > If you really need to automate it because typing a password is too hard:
> > cat ~/.mykrbpassword | kinit myusername
> 
> It needs to be automated principally because the password is not
> memorable.  I assume infrastructure people would rather we don't use the
> least secure credentials we can.

It is the same password you had to use every day to access services like
bodhi, pkgdb, fas, etc...
Now all those services are kerberized too (via OIDC IDP middleman) so
you can just kinit once and then access all those services w/o sending
password around, all in all I think it is a better situation.

> There is actually a Kerberos mechanism for storing credentials even if
> it somewhat defeats the object, particularly on a shared system.  It
> would be better if you could forward the GSS identities over ssh, but I
> don't see that you can.

You can if you authenticate with such an identity, but you can't forward
additional identities indeed.
But I am not sure why you would need to forward your user credentials to
servers normally. Did you copy your certs everywhere before ? I would
think the normal case is that people have 1 development machine where
they handle packaging.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Sérgio Basto]

On Ter, 2016-12-13 at 10:37 -0700, Kevin Fenzi wrote:
> On Tue, 13 Dec 2016 17:09:19 +
> Sérgio Basto  wrote:
> 
> > 
> > On Dom, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> > > 
> > > 
> > > Greetings. 
> > > 
> > > As previously announced, releng has made a number of changes as
> > > part
> > > of
> > > it's 2016 "flag day". 
> > > 
> > > All package maintainers will want to make sure they have updated
> > > to
> > > the 
> > > following package versions (some may be in testing as of this
> > > email):
> > > 
> > >  python-cccolutils-1.4-1
> > >  fedpkg-1.26-2
> > >  fedora-packager-0.6.0.0-1
> > >  pyrpkg-1.47-3
> > >  koji-1.11.0-1  
> > I'd like have this tools on F23 , which is not EOL , 
> but will be in less than a week. 
> 
> We decided to concentrate on those branches that will be around and
> supported for a while. We are still fixing various things in epel and
> I
> imagine it would be similar work to try and get f23 working, which we
> don't really have the cycles for. 
> 
> Please upgrade. 
> 
> > 
> > koji -d --debug-xmlrpc download-build -a x86_64 kernel-4.8.14-
> > 100.fc23
> > 
> > 016-12-13 16:25:05,845 [DEBUG] koji: Traceback (most recent call
> > last): File "/usr/lib/python2.7/site-packages/koji/__init__.py",
> > line
> > 2099, in _callMethod
> > return self._sendCall(handler, headers, request)
> >   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line
> > 2010,
> > in _sendCall
> > return self._sendOneCall(handler, headers, request)
> >   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line
> > 2032,
> > in _sendOneCall
> > ret = self._read_xmlrpc_response(response, handler)
> >   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line
> > 2064,
> > in _read_xmlrpc_response
> > response.status, response.reason, response.msg)
> > ProtocolError:  > 302
> > Found>  
> > 
> > download-build shouldn't need authentication ... 
> Thats not authentication, thats because the older koji used http and
> the new one always uses https and tries to redirect you to https if
> you pass it http. You _may_ be able to fix this by
> editing /etc/koji.conf and making all the urls https 

yes , it works .

Thanks for the support. 

> kevin
> 
> 
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
-- 
Sérgio M. B.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Tue, 13 Dec 2016 17:09:19 +
Sérgio Basto  wrote:

> On Dom, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> > 
> > Greetings. 
> > 
> > As previously announced, releng has made a number of changes as part
> > of
> > it's 2016 "flag day". 
> > 
> > All package maintainers will want to make sure they have updated to
> > the 
> > following package versions (some may be in testing as of this
> > email):
> > 
> >  python-cccolutils-1.4-1
> >  fedpkg-1.26-2
> >  fedora-packager-0.6.0.0-1
> >  pyrpkg-1.47-3
> >  koji-1.11.0-1  
> 
> I'd like have this tools on F23 , which is not EOL , 

but will be in less than a week. 

We decided to concentrate on those branches that will be around and
supported for a while. We are still fixing various things in epel and I
imagine it would be similar work to try and get f23 working, which we
don't really have the cycles for. 

Please upgrade. 

> koji -d --debug-xmlrpc download-build -a x86_64 kernel-4.8.14-100.fc23
> 
> 016-12-13 16:25:05,845 [DEBUG] koji: Traceback (most recent call
> last): File "/usr/lib/python2.7/site-packages/koji/__init__.py", line
> 2099, in _callMethod
> return self._sendCall(handler, headers, request)
>   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2010,
> in _sendCall
> return self._sendOneCall(handler, headers, request)
>   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2032,
> in _sendOneCall
> ret = self._read_xmlrpc_response(response, handler)
>   File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2064,
> in _read_xmlrpc_response
> response.status, response.reason, response.msg)
> ProtocolError:  Found>  
> 
> download-build shouldn't need authentication ... 

Thats not authentication, thats because the older koji used http and
the new one always uses https and tries to redirect you to https if
you pass it http. You _may_ be able to fix this by
editing /etc/koji.conf and making all the urls https 

kevin




pgpoBJEql7qym.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Tue, 13 Dec 2016 10:58:16 +
Dave Love  wrote:

> Kevin Fenzi  writes:
> 
> > Ah, the actual package produced is python2-cccolutils (from the
> > python-cccolutils package). 
> >
> > python2-cccolutils.x86_64 1.4-1.el6 epel-testing  
> 
> Isn't that wrong for EPEL?

No. There's nothing saying a python-foo package has to produce a
python-foo package. 

kevin


pgpGeMkp1AaXs.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Tue, 13 Dec 2016 14:19:50 +
Tom Hughes  wrote:

> On 13/12/16 13:41, Stephen Gallagher wrote:
> > On 12/13/2016 03:52 AM, Vít Ondruch wrote:  
> >>
> >> Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):
> >>  
> >>> As sgallagh noted downthread, gnome online accounts will hopefully
> >>> handle this for you soon as soon as that one bug is fixed.  
> >>
> >> That should be fixed prior such changes are pushed. If it is not,
> >> there should be at least somebody pushing this forward.  
> >
> > It was an oversight, which I only discovered a few days before the
> > flag day. A patch was immediately worked up and was expected to be
> > ready in time, which is why I didn't suggest postponing the flag
> > day.  
> 
> Actually it was discussed on IRC on 20th November and I gathered a 
> realmd log demonstrating it and it was supposed to be being looked
> into as I understood things at the time.
> 
> I should probably have filed a bug but at the time I wasn't sure if
> it was an issue with GOA or a configuration issue with the fedora
> kerberos servers.

If someone is assembling a list of blame, feel free to add me to it. 

I noticed this when we were testing in staging, but due to the 1000
other things I was trying to test and get going I didn't file a bug on
it. 

That said, I don't think this is productive. Several of us could have
filed a bug. We didn't. We can try and do better. Lets move on and get
things working with what we have now. 

kevin



pgpbX4wn0xQUV.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Tue, 13 Dec 2016 14:36:06 +
Dave Love  wrote:

> Simo Sorce  writes:
> 
> > If you really need to automate it because typing a password is too
> > hard: cat ~/.mykrbpassword | kinit myusername  
> 
> It needs to be automated principally because the password is not
> memorable.  I assume infrastructure people would rather we don't use
> the least secure credentials we can.

I can't speak for others, but the thought of putting your fas password
in plain text in some start up file makes me cry. I cannot of course
tell anyone what to do, but I can beg you not to do this. 

kevin


pgpexiSF4ui5C.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Sérgio Basto]

On Dom, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> 
> Greetings. 
> 
> As previously announced, releng has made a number of changes as part
> of
> it's 2016 "flag day". 
> 
> All package maintainers will want to make sure they have updated to
> the 
> following package versions (some may be in testing as of this email):
> 
>  python-cccolutils-1.4-1
>  fedpkg-1.26-2
>  fedora-packager-0.6.0.0-1
>  pyrpkg-1.47-3
>  koji-1.11.0-1

I'd like have this tools on F23 , which is not EOL , 

koji -d --debug-xmlrpc download-build -a x86_64 kernel-4.8.14-100.fc23

016-12-13 16:25:05,845 [DEBUG] koji: Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2099,
in _callMethod
return self._sendCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2010,
in _sendCall
return self._sendOneCall(handler, headers, request)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2032,
in _sendOneCall
ret = self._read_xmlrpc_response(response, handler)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2064,
in _read_xmlrpc_response
response.status, response.reason, response.msg)
ProtocolError: 

download-build shouldn't need authentication ... 

> 
> Please also see the following links for up to date information: 
> 
> https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016
> 
> The following changes were made:
> 
> * koji and the source lookaside were changed to use kerberos
> authentication
> instead of ssl certificates. All maintainers will need to:
> 
> kinit your-fas-accountn...@fedoraaproject.org
> 
> to get a valid kerberos TGT and be able to authenticate to koji and 
> the lookaside upload cgi. 
> 
> See the general kerberos information at: 
> https://fedoraproject.org/wiki/Infrastructure_kerberos_authentication
> for more details.
> 
> Additionally, via GSSAPI many browsers allow you to seamlessly login 
> to any of our ipsilon using applications simply by clicking on the
> login 
> button ( bodhi, fedorahosted trac, elections, fedocal, mailman3, etc)
> 
> * koji now uses a well known cert for https. 
> 
> * pkgs.fedoraproject.org now redirects to https://src.fedoraproject.o
> rg
>  and 
> that uses a well known cert. Please correct any links you use to use
> https://src.fedoraproject.org for packages spec and patch files. 
> 
> * rawhide builds now land in the f26-pending tag, where they are
> signed
> and then 
> added to the f26 tag for compose in the next rawhide compose. This
> allows 
> rawhide packages to be fully signed as well as a point where
> automated
> QA
> can take place in the future. 
> 
> * packages "sources" files now use sha512 by default instead of md5. 
> You will need the fedpkg update in order to create and use these new
> checksums.
> 
> Questions or concerns as always welcome at #fedora-admin on
> irc.freenode.net
> or tickets at https://pagure.io/fedora-infrastructure. 
> ___
> devel-announce mailing list -- devel-annou...@lists.fedoraproject.org
> To unsubscribe send an email to devel-announce-leave@lists.fedoraproj
> ect.org
-- 
Sérgio M. B.

___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Stephen Gallagher  writes:

>> There is actually a Kerberos mechanism for storing credentials even if
>> it somewhat defeats the object, particularly on a shared system.  It
>> would be better if you could forward the GSS identities over ssh, but I
   ^^^

>> don't see that you can.
>
> Of course you can: `ssh -K`. From the manpage:
>
>  -K  Enables GSSAPI-based authentication and forwarding (delegation) 
> of
> GSSAPI credentials to the server.

As far as I could tell, that can only be a single identity (possibly per
host), so no use if you need to use a local realm too.  I've been doing
this stuff longer than most and am doubtless not up-to-date, but I did
check the doc on my (non-Fedora) desktop.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[David Woodhouse]

On Mon, 2016-12-12 at 10:53 +0100, Vít Ondruch wrote:
> 2) I needed to update a certificate every 6 months, now I need to kinit
> every day. This is regression. How to make it work without kinit at all.
> I am using SSSD for company kerberos and I don't need to kinit at all,
> how to make this work for Fedora?

Maybe we could support PKINIT? :)

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Stephen Gallagher]

On 12/13/2016 09:36 AM, Dave Love wrote:
> Simo Sorce  writes:
> 
>> If you really need to automate it because typing a password is too hard:
>> cat ~/.mykrbpassword | kinit myusername
> 
> It needs to be automated principally because the password is not
> memorable.  I assume infrastructure people would rather we don't use the
> least secure credentials we can.
> 
> There is actually a Kerberos mechanism for storing credentials even if
> it somewhat defeats the object, particularly on a shared system.  It
> would be better if you could forward the GSS identities over ssh, but I
> don't see that you can.

Of course you can: `ssh -K`. From the manpage:

 -K  Enables GSSAPI-based authentication and forwarding (delegation) of
GSSAPI credentials to the server.





signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Simo Sorce  writes:

> If you really need to automate it because typing a password is too hard:
> cat ~/.mykrbpassword | kinit myusername

It needs to be automated principally because the password is not
memorable.  I assume infrastructure people would rather we don't use the
least secure credentials we can.

There is actually a Kerberos mechanism for storing credentials even if
it somewhat defeats the object, particularly on a shared system.  It
would be better if you could forward the GSS identities over ssh, but I
don't see that you can.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Simo Sorce  writes:

> On Tue, 2016-12-13 at 10:54 +, Dave Love wrote:
>> Kevin Fenzi  writes:
>> 
>> > This is included in the fedora-packager-0.6.0 update. 
>> >
>> > Make sure your /etc/krb5.conf has the include to include them
>> > from /etc/krb5.conf.d/ though
>> 
>> That will break Heimdal, for people who use that.
>
> Heimdal is not packaged in Fedora,

It clearly is, and I have the package installed.

> if you care for compiling and using
> it yourself I am sure you can change the default ccache scheme as well.
>
> Simo.

Oh, please.  The above was nothing to do with ccache anyhow.  (I don't
know how it works currently, but Samba4 used to be based on Heimdal, and
I thought inherited that sort of thing.  When I last worked on it,
krb5.conf was meant to be interchangeable.)

I did actually ask about Heimdal initially.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Tom Hughes]

On 13/12/16 13:41, Stephen Gallagher wrote:

On 12/13/2016 03:52 AM, Vít Ondruch wrote:


Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):


As sgallagh noted downthread, gnome online accounts will hopefully
handle this for you soon as soon as that one bug is fixed.


That should be fixed prior such changes are pushed. If it is not, there
should be at least somebody pushing this forward.


It was an oversight, which I only discovered a few days before the flag day. A
patch was immediately worked up and was expected to be ready in time, which is
why I didn't suggest postponing the flag day.


Actually it was discussed on IRC on 20th November and I gathered a 
realmd log demonstrating it and it was supposed to be being looked into 
as I understood things at the time.


I should probably have filed a bug but at the time I wasn't sure if it 
was an issue with GOA or a configuration issue with the fedora kerberos 
servers.



And yes, there are always bumps in the road. Any time you change a major
process, there will be issues you didn't expect or plan for. This would probably
have been mitigated if basically *anyone* besides Fedora Infra and myself had
bothered to beta-test the new Kerberos environment, but as with so many of our
Bodhi updates, they never actually get tested until they make it to the "stable"
repository.


Well I tested it to the extent of trying a kinit, and experimenting with 
GOA as mentioned above. Beyond that I was waiting for the fedpkg etc 
which we had been told would be available before the flag day.


I'm not sure it was ever made clear that there were new versions 
available in testing, or which packages exactly from testing we would 
need in order to try it.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Vít Ondruch]

Dne 13.12.2016 v 14:41 Stephen Gallagher napsal(a):
> On 12/13/2016 03:52 AM, Vít Ondruch wrote:
>>
>> Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):
>>> On Mon, 12 Dec 2016 10:53:39 +0100
>>> Vít Ondruch  wrote:
>>>
 So several questions:
> ...
>>> First, I'll note you don't need to get a new ticket every day, you can
>>> just renew with 'kinit -R'.
>> Not sure what is the difference here, may be you want to explain.
>>
> Well, this will depend on your behavior. If you reboot the machine every day,
> then the default behavior of Kerberos in Fedora will not allow you to do 
> `kinit
> -R`. That's because we use the kernel keyring to store the credential caches 
> and
> they are wiped clean when the machine goes away.
>
> If the machine has remained online, then the `kinit -R` basically means "If 
> this
> ticket is permitted to renew itself, do that", which will extend its usable
> lifetime up to the maximum renewal lifetime (in Fedora's case, renewals are
> permitted to extend the lifetime up to one week).

Thx for explanation. My conclusion is I should use "kinit" all the time,
since "kinit -R" fails once per week anyway. The only difference is
typing the password.

Or actually, does the "kinit -R" preserve which ticket is primary? I
could save the "kswitch" command ...

>
>
>>>  I am not sure what env kinit needs, but you
>>> may even be able to do this from a cron job. That will work for 1 week. 
>> Again, you imply some additional settings on me. There were not needed
>> so far. I needed to call "fedora-packager-setup" every six months, that
>> was it.
>>
>> BTW you don't mention if the "fedora-packager-setup" is useful for
>> something ATM.
>>
>>> As sgallagh noted downthread, gnome online accounts will hopefully
>>> handle this for you soon as soon as that one bug is fixed.
>> That should be fixed prior such changes are pushed. If it is not, there
>> should be at least somebody pushing this forward.
>>
> It was an oversight, which I only discovered a few days before the flag day.

I tried that, but with it was just one of the issues (with unclear cause
and resolution to me) among others 

> A patch was immediately worked up and was expected to be ready in time, which 
> is
> why I didn't suggest postponing the flag day.
>
> Unfortunately, a discussion came up about whether the fix is happening in the
> right component (realmd vs. gnome-online-accounts). It stalled out for a few
> days, but I've now asked the maintainers to accept the band-aid patch for now,
> so hopefully that will be cleared up very quickly.
>

Thx

>>>  
>>>
>>> Finally, I'll note that these tickets are more powerfull than the old
>>> certs. The certs controlled authentication to just koji and uploads,
>>> while tickets allow you to login to almost all our web apps as well.
>> Once again, you make it sound like I dislike kerberos and hate this
>> feature. But quite contrary, I believe that this is step in the right
>> direction and I appreciate this change in general. Unfortunately,
>> current status is far from ideal and the experience is worse then it
>> used to be.
>>
> To be fair, the old experience was that approximately every six months, users
> would get a cryptic error message, email the devel@ list and be told via
> institutional knowledge holders that they needed to get a new certificate.

I am pretty sure I was guilty as well at times ;)

> At least in the case of Kerberos, the *reason* that things are failing is 
> clearly
> visible and easily searched.
>
> Remember, you're a long-time contributor with access to knowledge about a
> thousand finicky things. To you, all those silly workarounds are second 
> nature,
> and thus when they change, it's disruptive. From the perspective of improving
> things long-term (and so that new users aren't out of their depth), sometimes 
> we
> have to make changes like this.
>
> And yes, there are always bumps in the road. Any time you change a major
> process, there will be issues you didn't expect or plan for. This would 
> probably
> have been mitigated if basically *anyone* besides Fedora Infra and myself had
> bothered to beta-test the new Kerberos environment, but as with so many of our
> Bodhi updates, they never actually get tested until they make it to the 
> "stable"
> repository.
>
>

I was trying, that is why I noticed
https://bugzilla.redhat.com/show_bug.cgi?id=1394677#c7


Vít



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Stephen Gallagher]

On 12/13/2016 03:52 AM, Vít Ondruch wrote:
> 
> 
> Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):
>> On Mon, 12 Dec 2016 10:53:39 +0100
>> Vít Ondruch  wrote:
>>
>>> So several questions:
...
>>
>> First, I'll note you don't need to get a new ticket every day, you can
>> just renew with 'kinit -R'.
> 
> Not sure what is the difference here, may be you want to explain.
> 

Well, this will depend on your behavior. If you reboot the machine every day,
then the default behavior of Kerberos in Fedora will not allow you to do `kinit
-R`. That's because we use the kernel keyring to store the credential caches and
they are wiped clean when the machine goes away.

If the machine has remained online, then the `kinit -R` basically means "If this
ticket is permitted to renew itself, do that", which will extend its usable
lifetime up to the maximum renewal lifetime (in Fedora's case, renewals are
permitted to extend the lifetime up to one week).


>>  I am not sure what env kinit needs, but you
>> may even be able to do this from a cron job. That will work for 1 week. 
> 
> Again, you imply some additional settings on me. There were not needed
> so far. I needed to call "fedora-packager-setup" every six months, that
> was it.
> 
> BTW you don't mention if the "fedora-packager-setup" is useful for
> something ATM.
> 
>>
>> As sgallagh noted downthread, gnome online accounts will hopefully
>> handle this for you soon as soon as that one bug is fixed.
> 
> That should be fixed prior such changes are pushed. If it is not, there
> should be at least somebody pushing this forward.
> 

It was an oversight, which I only discovered a few days before the flag day. A
patch was immediately worked up and was expected to be ready in time, which is
why I didn't suggest postponing the flag day.

Unfortunately, a discussion came up about whether the fix is happening in the
right component (realmd vs. gnome-online-accounts). It stalled out for a few
days, but I've now asked the maintainers to accept the band-aid patch for now,
so hopefully that will be cleared up very quickly.


>>  
>>
>> Finally, I'll note that these tickets are more powerfull than the old
>> certs. The certs controlled authentication to just koji and uploads,
>> while tickets allow you to login to almost all our web apps as well.
> 
> Once again, you make it sound like I dislike kerberos and hate this
> feature. But quite contrary, I believe that this is step in the right
> direction and I appreciate this change in general. Unfortunately,
> current status is far from ideal and the experience is worse then it
> used to be.
> 

To be fair, the old experience was that approximately every six months, users
would get a cryptic error message, email the devel@ list and be told via
institutional knowledge holders that they needed to get a new certificate. At
least in the case of Kerberos, the *reason* that things are failing is clearly
visible and easily searched.

Remember, you're a long-time contributor with access to knowledge about a
thousand finicky things. To you, all those silly workarounds are second nature,
and thus when they change, it's disruptive. From the perspective of improving
things long-term (and so that new users aren't out of their depth), sometimes we
have to make changes like this.

And yes, there are always bumps in the road. Any time you change a major
process, there will be issues you didn't expect or plan for. This would probably
have been mitigated if basically *anyone* besides Fedora Infra and myself had
bothered to beta-test the new Kerberos environment, but as with so many of our
Bodhi updates, they never actually get tested until they make it to the "stable"
repository.




signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[David Woodhouse]

On Mon, 2016-12-12 at 02:36 +0100, Igor Gnatenko wrote:
> It shows a little error icon in the Domain box, as if to indicate
> > that FEDORAPROJECT.ORG is an invalid domain (but unhelpfully without
> > any actual tooltip or error message). Is there a known problem here?
> 
> yes, and even patch available:
> https://bugzilla.redhat.com/show_bug.cgi?id=1401605

That only seems to address the 'it failed' part. Not the "when it
failed, the user experience was crappy and gave no details of the
error". The latter should be treated as a separate bug, and also fixed.
Please.

-- 
dwmw2

smime.p7s
Description: S/MIME cryptographic signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dan Horák]

On Tue, 13 Dec 2016 12:51:02 +0200
Alexander Bokovoy  wrote:

> On ti, 13 joulu 2016, Dan Horák wrote:
> >On Tue, 13 Dec 2016 12:29:57 +0200
> >Alexander Bokovoy  wrote:
> >
> >> On ti, 13 joulu 2016, Daniel P. Berrange wrote:
> >> >On Tue, Dec 13, 2016 at 12:19:45PM +0200, Alexander Bokovoy wrote:
> >> >> On ti, 13 joulu 2016, Alexander Bokovoy wrote:
> >> >> > On ti, 13 joulu 2016, Vít Ondruch wrote:
> >> >> > >
> >> >> > >
> >> >> > > Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
> >> >> > > > On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> >> >> > > > > So several questions:
> >> >> > > > >
> >> >> > > > > 1) When I have 2 domains I login to with kerberos, how
> >> >> > > > > to really make it work. I don't want to kswitch all the
> >> >> > > > > time. I am using Kerberos to authenticate my email
> >> >> > > > > client, so I want to keep it working all the time.
> >> >> > > > >
> >> >> > > > There are patches still coming that will switch the fedora
> >> >> > > > packaging tools to use GSSAPI rather than Kerberos
> >> >> > > > directly, which will handle auto-selecting the right TGT.
> >> >> > > > I'm not sure what the status is on this, but Patrick
> >> >> > > > Uiterwijk (CCed) was looking into it.
> >> >> > >
> >> >> > > I am probably missing something, but if I am not mistaken,
> >> >> > > the primary ticket depends on order of my kinit calls and I
> >> >> > > am using several apps which needs kerberos authentication,
> >> >> > > so I can hardly see how fedora packaging tools changes can
> >> >> > > solve the major issue, i.e. if I do kinit
> >> >> > > vondr...@fedoraproject.org, this ticket becomes the
> >> >> > > primary ...
> >> >> > The story is always more complex than it seems.
> >> >> >
> >> >> > There is Kerberos protocol. There is also GSSAPI interface
> >> >> > that allows to wrap Kerberos use under a more general security
> >> >> > exchange means. While Kerberos tools can deal with multiple
> >> >> > credential caches in the collection only by addressing the
> >> >> > currently selected credentials cache, GSSAPI-aware
> >> >> > applications enjoy ability to chose which credentials cache
> >> >> > from the collection to use based on the realm of the target
> >> >> > service.
> >> >> >
> >> >> > Koji with a patch to use python-gssapi will have ability to
> >> >> > choose the credentials cache automatically based on the realm
> >> >> > of the target service, regardless of what credentials cache is
> >> >> > active right now in the collection. The version in Fedora
> >> >> > right now (1.11.0-1.fc25) is not yet built with the patch to
> >> >> > use python-gssapi.
> >> >> A small correction: koji 1.11.0-1.fc25 does use
> >> >> python-requests-kerberos which uses python-kerberos which is
> >> >> using GSSAPI C library. I verified that koji in Fedora 25 does
> >> >> work with credentials cache collections and properly chooses
> >> >> the credentials cache which is not the one currently active.
> >> >>
> >> >> However, default Fedora 25 configuration[1] does not set the
> >> >> default ccache name to a collection, only FreeIPA client
> >> >> installer does this.
> >> >>
> >> >> As result, if you have no
> >> >>
> >> >> [libdefaults]
> >> >>   default_ccache_name = KEYRING:persistent:%{uid}
> >> >>
> >> >> in your krb5.conf, you are using the defaults compiled into
> >> >> libkrb5 which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a
> >> >> credentials cache _collection_ and cannot store multiple
> >> >> credentials from multiple realms.
> >> >>
> >> >> So, if you'd change default_ccache_name to a KEYRING:..-based
> >> >> version and re-logon, you'll be able to maintain multiple
> >> >> credentials caches at the same time.
> >> >>
> >> >> [1]
> >> >> http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25
> >> >
> >> >Actually that's not quite right - if you look at krb5.spec you'll
> >> >see it then munges that krb5.conf to add
> >> >
> >> >   default_ccache_name = KEYRING:persistent:%{uid}
> >> >
> >> >so all F25 installs should get that by default - all of my fresh
> >> >installs do.
> >> Mea culpa. Thanks for the correction. So, for fresh F25 installs
> >> this should be working fine -- at least with koji.
> >
> >does anybody know if the krb5-auth-dialog tool [1] works with the
> >credentials cache?
> >
> >[1] https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/
> This is an incorrect question -- everything that supports Kerberos
> works with the credentials caches. I guess you were asking whether
> krb5-auth-dialog does use GSSAPI to choose correct credential cache
> out of a _collection_? The answer is no, it does not use GSSAPI so it
> cannot automatically choose the correct credential cache out of a
> collection.
> 
> krb5-auth-dialog directly uses krb5 API, not GSSAPI, so your only
> choice with it is to use 'kswitch' utility to explicitly switch
> credential cache prior to use of the krb5-auth-dialog.

thanks for the 

Re: Packagers - Flag day 2016 Important changes

[Simo Sorce]

On Tue, 2016-12-13 at 10:57 +, Dave Love wrote:
> Christopher  writes:
> 
> > Better yet, save your password in gnome-keyring:
> > keyring set login fedora
> > And retrieve it for kinit:
> > keyring get login fedora | kinit usern...@fedoraproject.org
> 
> None of this is any good if you're not using a desktop system, is it?
> I'm probably not the only one who does Fedora-related development on a
> login server, without a desktop.

If you really need to automate it because typing a password is too hard:
cat ~/.mykrbpassword | kinit myusername

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Simo Sorce]

On Tue, 2016-12-13 at 10:54 +, Dave Love wrote:
> Kevin Fenzi  writes:
> 
> > This is included in the fedora-packager-0.6.0 update. 
> >
> > Make sure your /etc/krb5.conf has the include to include them
> > from /etc/krb5.conf.d/ though
> 
> That will break Heimdal, for people who use that.

Heimdal is not packaged in Fedora, if you care for compiling and using
it yourself I am sure you can change the default ccache scheme as well.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Jonathan Wakely]

On 13/12/16 09:52 +0100, Vít Ondruch wrote:

Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):

First, I'll note you don't need to get a new ticket every day, you can
just renew with 'kinit -R'.


Not sure what is the difference here, may be you want to explain.


'kinit -R' doesn't need a password, it just renews an existing ticket.
So if you enter the password you can then renew it non-interactively
for the next week.


 I am not sure what env kinit needs, but you
may even be able to do this from a cron job. That will work for 1 week.


Renewing tickets with 'kinit -R' definitely does work from cron jobs.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Petr Mensik  writes:

> Sure, I am really missing this information written on the wiki page. The 
> secret is, they are in the DNS record. If you try 
> $ host -t URI _kerberos.fedoraproject.org

Thanks.  I forget about DNS records because I've been not trusting them
forever.  However, I only know about using SRV/TXT records, and this
stuff doesn't work on RHEL6 as far as I can tell.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Kevin Fenzi  writes:

> fedora-packager-0.6.0 includes:
>
> /etc/krb5.conf.d/fedoraproject_org
> and
> /etc/krb5.conf.d/stg_fedoraproject_org
>
> which contain: 
>
> [realms]
>  FEDORAPROJECT.ORG = {
> kdc = https://id.fedoraproject.org/KdcProxy
>  }
> [domain_realm]
>  .fedoraproject.org = FEDORAPROJECT.ORG
>  fedoraproject.org = FEDORAPROJECT.ORG
>
> and
>
> [realms]
>  STG.FEDORAPROJECT.ORG = {
> kdc = https://id.stg.fedoraproject.org/KdcProxy
>  }
> [domain_realm]
>  .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
>  stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
>
> That said, autodetect should also work, so you shouldn't actually need
> those I don't think. 

Do you mean DNS lookup or something else?

The realm configuration doesn't work on RHEL6 anyhow, presumably because
it doesn't know what to do with a URL value of kdc.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Kevin Fenzi  writes:

> Ah, the actual package produced is python2-cccolutils (from the
> python-cccolutils package). 
>
> python2-cccolutils.x86_64 1.4-1.el6 epel-testing

Isn't that wrong for EPEL?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Christopher  writes:

> Better yet, save your password in gnome-keyring:
> keyring set login fedora
> And retrieve it for kinit:
> keyring get login fedora | kinit usern...@fedoraproject.org

None of this is any good if you're not using a desktop system, is it?
I'm probably not the only one who does Fedora-related development on a
login server, without a desktop.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Kevin Fenzi  writes:

> This is included in the fedora-packager-0.6.0 update. 
>
> Make sure your /etc/krb5.conf has the include to include them
> from /etc/krb5.conf.d/ though

That will break Heimdal, for people who use that.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ti, 13 joulu 2016, Dan Horák wrote:

On Tue, 13 Dec 2016 12:29:57 +0200
Alexander Bokovoy  wrote:


On ti, 13 joulu 2016, Daniel P. Berrange wrote:
>On Tue, Dec 13, 2016 at 12:19:45PM +0200, Alexander Bokovoy wrote:
>> On ti, 13 joulu 2016, Alexander Bokovoy wrote:
>> > On ti, 13 joulu 2016, Vít Ondruch wrote:
>> > >
>> > >
>> > > Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
>> > > > On 12/12/2016 04:53 AM, Vít Ondruch wrote:
>> > > > > So several questions:
>> > > > >
>> > > > > 1) When I have 2 domains I login to with kerberos, how to
>> > > > > really make it work. I don't want to kswitch all the time.
>> > > > > I am using Kerberos to authenticate my email client, so I
>> > > > > want to keep it working all the time.
>> > > > >
>> > > > There are patches still coming that will switch the fedora
>> > > > packaging tools to use GSSAPI rather than Kerberos directly,
>> > > > which will handle auto-selecting the right TGT. I'm not sure
>> > > > what the status is on this, but Patrick Uiterwijk (CCed) was
>> > > > looking into it.
>> > >
>> > > I am probably missing something, but if I am not mistaken, the
>> > > primary ticket depends on order of my kinit calls and I am
>> > > using several apps which needs kerberos authentication, so I
>> > > can hardly see how fedora packaging tools changes can solve
>> > > the major issue, i.e. if I do kinit
>> > > vondr...@fedoraproject.org, this ticket becomes the primary ...
>> > The story is always more complex than it seems.
>> >
>> > There is Kerberos protocol. There is also GSSAPI interface that
>> > allows to wrap Kerberos use under a more general security
>> > exchange means. While Kerberos tools can deal with multiple
>> > credential caches in the collection only by addressing the
>> > currently selected credentials cache, GSSAPI-aware applications
>> > enjoy ability to chose which credentials cache from the
>> > collection to use based on the realm of the target service.
>> >
>> > Koji with a patch to use python-gssapi will have ability to
>> > choose the credentials cache automatically based on the realm of
>> > the target service, regardless of what credentials cache is
>> > active right now in the collection. The version in Fedora right
>> > now (1.11.0-1.fc25) is not yet built with the patch to use
>> > python-gssapi.
>> A small correction: koji 1.11.0-1.fc25 does use
>> python-requests-kerberos which uses python-kerberos which is using
>> GSSAPI C library. I verified that koji in Fedora 25 does work with
>> credentials cache collections and properly chooses the credentials
>> cache which is not the one currently active.
>>
>> However, default Fedora 25 configuration[1] does not set the
>> default ccache name to a collection, only FreeIPA client installer
>> does this.
>>
>> As result, if you have no
>>
>> [libdefaults]
>>   default_ccache_name = KEYRING:persistent:%{uid}
>>
>> in your krb5.conf, you are using the defaults compiled into libkrb5
>> which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a credentials
>> cache _collection_ and cannot store multiple credentials from
>> multiple realms.
>>
>> So, if you'd change default_ccache_name to a KEYRING:..-based
>> version and re-logon, you'll be able to maintain multiple
>> credentials caches at the same time.
>>
>> [1]
>> http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25
>
>Actually that's not quite right - if you look at krb5.spec you'll
>see it then munges that krb5.conf to add
>
>   default_ccache_name = KEYRING:persistent:%{uid}
>
>so all F25 installs should get that by default - all of my fresh
>installs do.
Mea culpa. Thanks for the correction. So, for fresh F25 installs this
should be working fine -- at least with koji.


does anybody know if the krb5-auth-dialog tool [1] works with the
credentials cache?

[1] https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/

This is an incorrect question -- everything that supports Kerberos works
with the credentials caches. I guess you were asking whether
krb5-auth-dialog does use GSSAPI to choose correct credential cache out
of a _collection_? The answer is no, it does not use GSSAPI so it cannot
automatically choose the correct credential cache out of a collection.

krb5-auth-dialog directly uses krb5 API, not GSSAPI, so your only choice
with it is to use 'kswitch' utility to explicitly switch credential
cache prior to use of the krb5-auth-dialog.

--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dan Horák]

On Tue, 13 Dec 2016 12:29:57 +0200
Alexander Bokovoy  wrote:

> On ti, 13 joulu 2016, Daniel P. Berrange wrote:
> >On Tue, Dec 13, 2016 at 12:19:45PM +0200, Alexander Bokovoy wrote:
> >> On ti, 13 joulu 2016, Alexander Bokovoy wrote:
> >> > On ti, 13 joulu 2016, Vít Ondruch wrote:
> >> > >
> >> > >
> >> > > Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
> >> > > > On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> >> > > > > So several questions:
> >> > > > >
> >> > > > > 1) When I have 2 domains I login to with kerberos, how to
> >> > > > > really make it work. I don't want to kswitch all the time.
> >> > > > > I am using Kerberos to authenticate my email client, so I
> >> > > > > want to keep it working all the time.
> >> > > > >
> >> > > > There are patches still coming that will switch the fedora
> >> > > > packaging tools to use GSSAPI rather than Kerberos directly,
> >> > > > which will handle auto-selecting the right TGT. I'm not sure
> >> > > > what the status is on this, but Patrick Uiterwijk (CCed) was
> >> > > > looking into it.
> >> > >
> >> > > I am probably missing something, but if I am not mistaken, the
> >> > > primary ticket depends on order of my kinit calls and I am
> >> > > using several apps which needs kerberos authentication, so I
> >> > > can hardly see how fedora packaging tools changes can solve
> >> > > the major issue, i.e. if I do kinit
> >> > > vondr...@fedoraproject.org, this ticket becomes the primary ...
> >> > The story is always more complex than it seems.
> >> >
> >> > There is Kerberos protocol. There is also GSSAPI interface that
> >> > allows to wrap Kerberos use under a more general security
> >> > exchange means. While Kerberos tools can deal with multiple
> >> > credential caches in the collection only by addressing the
> >> > currently selected credentials cache, GSSAPI-aware applications
> >> > enjoy ability to chose which credentials cache from the
> >> > collection to use based on the realm of the target service.
> >> >
> >> > Koji with a patch to use python-gssapi will have ability to
> >> > choose the credentials cache automatically based on the realm of
> >> > the target service, regardless of what credentials cache is
> >> > active right now in the collection. The version in Fedora right
> >> > now (1.11.0-1.fc25) is not yet built with the patch to use
> >> > python-gssapi.
> >> A small correction: koji 1.11.0-1.fc25 does use
> >> python-requests-kerberos which uses python-kerberos which is using
> >> GSSAPI C library. I verified that koji in Fedora 25 does work with
> >> credentials cache collections and properly chooses the credentials
> >> cache which is not the one currently active.
> >>
> >> However, default Fedora 25 configuration[1] does not set the
> >> default ccache name to a collection, only FreeIPA client installer
> >> does this.
> >>
> >> As result, if you have no
> >>
> >> [libdefaults]
> >>   default_ccache_name = KEYRING:persistent:%{uid}
> >>
> >> in your krb5.conf, you are using the defaults compiled into libkrb5
> >> which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a credentials
> >> cache _collection_ and cannot store multiple credentials from
> >> multiple realms.
> >>
> >> So, if you'd change default_ccache_name to a KEYRING:..-based
> >> version and re-logon, you'll be able to maintain multiple
> >> credentials caches at the same time.
> >>
> >> [1]
> >> http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25
> >
> >Actually that's not quite right - if you look at krb5.spec you'll
> >see it then munges that krb5.conf to add
> >
> >   default_ccache_name = KEYRING:persistent:%{uid}
> >
> >so all F25 installs should get that by default - all of my fresh
> >installs do.
> Mea culpa. Thanks for the correction. So, for fresh F25 installs this
> should be working fine -- at least with koji.

does anybody know if the krb5-auth-dialog tool [1] works with the
credentials cache?


Dan

[1] https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ti, 13 joulu 2016, Daniel P. Berrange wrote:

On Tue, Dec 13, 2016 at 12:19:45PM +0200, Alexander Bokovoy wrote:

On ti, 13 joulu 2016, Alexander Bokovoy wrote:
> On ti, 13 joulu 2016, Vít Ondruch wrote:
> >
> >
> > Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
> > > On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> > > > So several questions:
> > > >
> > > > 1) When I have 2 domains I login to with kerberos, how to really make it
> > > > work. I don't want to kswitch all the time. I am using Kerberos to
> > > > authenticate my email client, so I want to keep it working all the time.
> > > >
> > > There are patches still coming that will switch the fedora packaging 
tools to
> > > use GSSAPI rather than Kerberos directly, which will handle 
auto-selecting the
> > > right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk 
(CCed)
> > > was looking into it.
> >
> > I am probably missing something, but if I am not mistaken, the primary
> > ticket depends on order of my kinit calls and I am using several apps
> > which needs kerberos authentication, so I can hardly see how fedora
> > packaging tools changes can solve the major issue, i.e. if I do kinit
> > vondr...@fedoraproject.org, this ticket becomes the primary ...
> The story is always more complex than it seems.
>
> There is Kerberos protocol. There is also GSSAPI interface that allows
> to wrap Kerberos use under a more general security exchange means. While
> Kerberos tools can deal with multiple credential caches in the
> collection only by addressing the currently selected credentials cache,
> GSSAPI-aware applications enjoy ability to chose which credentials cache
> from the collection to use based on the realm of the target service.
>
> Koji with a patch to use python-gssapi will have ability to choose the
> credentials cache automatically based on the realm of the target
> service, regardless of what credentials cache is active right now in the
> collection. The version in Fedora right now (1.11.0-1.fc25) is not yet
> built with the patch to use python-gssapi.
A small correction: koji 1.11.0-1.fc25 does use python-requests-kerberos which
uses python-kerberos which is using GSSAPI C library. I verified that
koji in Fedora 25 does work with credentials cache collections and
properly chooses the credentials cache which is not the one currently
active.

However, default Fedora 25 configuration[1] does not set the default ccache
name to a collection, only FreeIPA client installer does this.

As result, if you have no

[libdefaults]
  default_ccache_name = KEYRING:persistent:%{uid}

in your krb5.conf, you are using the defaults compiled into libkrb5
which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a credentials
cache _collection_ and cannot store multiple credentials from multiple
realms.

So, if you'd change default_ccache_name to a KEYRING:..-based version
and re-logon, you'll be able to maintain multiple credentials caches at
the same time.

[1] http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25


Actually that's not quite right - if you look at krb5.spec you'll
see it then munges that krb5.conf to add

  default_ccache_name = KEYRING:persistent:%{uid}

so all F25 installs should get that by default - all of my fresh installs
do.

Mea culpa. Thanks for the correction. So, for fresh F25 installs this
should be working fine -- at least with koji.

--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Daniel P. Berrange]

On Tue, Dec 13, 2016 at 12:19:45PM +0200, Alexander Bokovoy wrote:
> On ti, 13 joulu 2016, Alexander Bokovoy wrote:
> > On ti, 13 joulu 2016, Vít Ondruch wrote:
> > > 
> > > 
> > > Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
> > > > On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> > > > > So several questions:
> > > > > 
> > > > > 1) When I have 2 domains I login to with kerberos, how to really make 
> > > > > it
> > > > > work. I don't want to kswitch all the time. I am using Kerberos to
> > > > > authenticate my email client, so I want to keep it working all the 
> > > > > time.
> > > > > 
> > > > There are patches still coming that will switch the fedora packaging 
> > > > tools to
> > > > use GSSAPI rather than Kerberos directly, which will handle 
> > > > auto-selecting the
> > > > right TGT. I'm not sure what the status is on this, but Patrick 
> > > > Uiterwijk (CCed)
> > > > was looking into it.
> > > 
> > > I am probably missing something, but if I am not mistaken, the primary
> > > ticket depends on order of my kinit calls and I am using several apps
> > > which needs kerberos authentication, so I can hardly see how fedora
> > > packaging tools changes can solve the major issue, i.e. if I do kinit
> > > vondr...@fedoraproject.org, this ticket becomes the primary ...
> > The story is always more complex than it seems.
> > 
> > There is Kerberos protocol. There is also GSSAPI interface that allows
> > to wrap Kerberos use under a more general security exchange means. While
> > Kerberos tools can deal with multiple credential caches in the
> > collection only by addressing the currently selected credentials cache,
> > GSSAPI-aware applications enjoy ability to chose which credentials cache
> > from the collection to use based on the realm of the target service.
> > 
> > Koji with a patch to use python-gssapi will have ability to choose the
> > credentials cache automatically based on the realm of the target
> > service, regardless of what credentials cache is active right now in the
> > collection. The version in Fedora right now (1.11.0-1.fc25) is not yet
> > built with the patch to use python-gssapi.
> A small correction: koji 1.11.0-1.fc25 does use python-requests-kerberos which
> uses python-kerberos which is using GSSAPI C library. I verified that
> koji in Fedora 25 does work with credentials cache collections and
> properly chooses the credentials cache which is not the one currently
> active.
> 
> However, default Fedora 25 configuration[1] does not set the default ccache
> name to a collection, only FreeIPA client installer does this.
> 
> As result, if you have no
> 
> [libdefaults]
>   default_ccache_name = KEYRING:persistent:%{uid}
> 
> in your krb5.conf, you are using the defaults compiled into libkrb5
> which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a credentials
> cache _collection_ and cannot store multiple credentials from multiple
> realms.
> 
> So, if you'd change default_ccache_name to a KEYRING:..-based version
> and re-logon, you'll be able to maintain multiple credentials caches at
> the same time.
> 
> [1] http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25

Actually that's not quite right - if you look at krb5.spec you'll
see it then munges that krb5.conf to add

   default_ccache_name = KEYRING:persistent:%{uid}

so all F25 installs should get that by default - all of my fresh installs
do.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://entangle-photo.org   -o-http://search.cpan.org/~danberr/ :|
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ti, 13 joulu 2016, Alexander Bokovoy wrote:

On ti, 13 joulu 2016, Vít Ondruch wrote:



Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):

On 12/12/2016 04:53 AM, Vít Ondruch wrote:

So several questions:

1) When I have 2 domains I login to with kerberos, how to really make it
work. I don't want to kswitch all the time. I am using Kerberos to
authenticate my email client, so I want to keep it working all the time.


There are patches still coming that will switch the fedora packaging tools to
use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk (CCed)
was looking into it.


I am probably missing something, but if I am not mistaken, the primary
ticket depends on order of my kinit calls and I am using several apps
which needs kerberos authentication, so I can hardly see how fedora
packaging tools changes can solve the major issue, i.e. if I do kinit
vondr...@fedoraproject.org, this ticket becomes the primary ...

The story is always more complex than it seems.

There is Kerberos protocol. There is also GSSAPI interface that allows
to wrap Kerberos use under a more general security exchange means. While
Kerberos tools can deal with multiple credential caches in the
collection only by addressing the currently selected credentials cache,
GSSAPI-aware applications enjoy ability to chose which credentials cache
from the collection to use based on the realm of the target service.

Koji with a patch to use python-gssapi will have ability to choose the
credentials cache automatically based on the realm of the target
service, regardless of what credentials cache is active right now in the
collection. The version in Fedora right now (1.11.0-1.fc25) is not yet
built with the patch to use python-gssapi.

A small correction: koji 1.11.0-1.fc25 does use python-requests-kerberos which
uses python-kerberos which is using GSSAPI C library. I verified that
koji in Fedora 25 does work with credentials cache collections and
properly chooses the credentials cache which is not the one currently
active.

However, default Fedora 25 configuration[1] does not set the default ccache
name to a collection, only FreeIPA client installer does this.

As result, if you have no 


[libdefaults]
  default_ccache_name = KEYRING:persistent:%{uid}

in your krb5.conf, you are using the defaults compiled into libkrb5
which is 'FILE:/tmp/krb5cc_%{uid}'. The latter is not a credentials
cache _collection_ and cannot store multiple credentials from multiple
realms.

So, if you'd change default_ccache_name to a KEYRING:..-based version
and re-logon, you'll be able to maintain multiple credentials caches at
the same time.

[1] http://pkgs.fedoraproject.org/cgit/rpms/krb5.git/tree/krb5.conf?h=f25
--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Paul Howarth]

On 2016-12-12 17:05, Kevin Fenzi wrote:

On Mon, 12 Dec 2016 12:32:33 +
Paul Howarth  wrote:


There's an extra "A" in there.


oops. so there is. :) Sorry about that.


Anyway, it's not working for me and it's a different error than
others are seeing:


...snip...


I tried logging into FAS and that worked but didn't help. It didn't
prompt me to change password either. I don't know if the "password
expired" thing is the source or a symptom of the problem.


Can you try again now? We adjusted a few things...

If it still doesn't work, can you open a new issue on it?
https://pagure.io/fedora-infrastructure/new_issue

Thanks.


I changed my password in FAS earlier and after that it worked OK.

Paul.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Vít Ondruch]

Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a):
> On Mon, 12 Dec 2016 10:53:39 +0100
> Vít Ondruch  wrote:
>
>> So several questions:
>>
>> 1) When I have 2 domains I login to with kerberos, how to really make
>> it work. I don't want to kswitch all the time. I am using Kerberos to
>> authenticate my email client, so I want to keep it working all the
>> time.
> Fedora should work just fine with other domains. It doesn't need to be
> the primary. 
>
>> 2) I needed to update a certificate every 6 months, now I need to
>> kinit every day. This is regression. How to make it work without
>> kinit at all. I am using SSSD for company kerberos and I don't need
>> to kinit at all, how to make this work for Fedora?
> I really wish people would stop using that word. 
> https://ohjeezlinux.wordpress.com/2013/01/03/new-rule-about-regressions/
>
> Anyhow, this is just a change in behavior that you don't like. 

Come on? Am I the only one? Overall, I think it is good idea to use
kerberos, but the implementation sucks so far TBH.

>
> First, I'll note you don't need to get a new ticket every day, you can
> just renew with 'kinit -R'.

Not sure what is the difference here, may be you want to explain.

>  I am not sure what env kinit needs, but you
> may even be able to do this from a cron job. That will work for 1 week. 

Again, you imply some additional settings on me. There were not needed
so far. I needed to call "fedora-packager-setup" every six months, that
was it.

BTW you don't mention if the "fedora-packager-setup" is useful for
something ATM.

>
> As sgallagh noted downthread, gnome online accounts will hopefully
> handle this for you soon as soon as that one bug is fixed.

That should be fixed prior such changes are pushed. If it is not, there
should be at least somebody pushing this forward.

>  
>
> Finally, I'll note that these tickets are more powerfull than the old
> certs. The certs controlled authentication to just koji and uploads,
> while tickets allow you to login to almost all our web apps as well.

Once again, you make it sound like I dislike kerberos and hate this
feature. But quite contrary, I believe that this is step in the right
direction and I appreciate this change in general. Unfortunately,
current status is far from ideal and the experience is worse then it
used to be.


Vít



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Alexander Bokovoy]

On ti, 13 joulu 2016, Vít Ondruch wrote:



Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):

On 12/12/2016 04:53 AM, Vít Ondruch wrote:

So several questions:

1) When I have 2 domains I login to with kerberos, how to really make it
work. I don't want to kswitch all the time. I am using Kerberos to
authenticate my email client, so I want to keep it working all the time.


There are patches still coming that will switch the fedora packaging tools to
use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk (CCed)
was looking into it.


I am probably missing something, but if I am not mistaken, the primary
ticket depends on order of my kinit calls and I am using several apps
which needs kerberos authentication, so I can hardly see how fedora
packaging tools changes can solve the major issue, i.e. if I do kinit
vondr...@fedoraproject.org, this ticket becomes the primary ...

The story is always more complex than it seems.

There is Kerberos protocol. There is also GSSAPI interface that allows
to wrap Kerberos use under a more general security exchange means. While
Kerberos tools can deal with multiple credential caches in the
collection only by addressing the currently selected credentials cache,
GSSAPI-aware applications enjoy ability to chose which credentials cache
from the collection to use based on the realm of the target service.

Koji with a patch to use python-gssapi will have ability to choose the
credentials cache automatically based on the realm of the target
service, regardless of what credentials cache is active right now in the
collection. The version in Fedora right now (1.11.0-1.fc25) is not yet
built with the patch to use python-gssapi.

--
/ Alexander Bokovoy
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Vít Ondruch]

Dne 12.12.2016 v 20:54 Christopher napsal(a):
> On Mon, Dec 12, 2016 at 10:03 AM Stephen Gallagher
> > wrote:
>
>
> > 2) I needed to update a certificate every 6 months, now I need
> to kinit
> > every day. This is regression. How to make it work without kinit
> at all.
> > I am using SSSD for company kerberos and I don't need to kinit
> at all,
> > how to make this work for Fedora?
> >
>
> If you're using GNOME, it will be possible to have it save your
> TGT password in
> GNOME Keyring and use GNOME Online Accounts to sign you in
> automatically when
> you log into your main account. However, there is currently a bug
> in it:
> https://bugzilla.redhat.com/show_bug.cgi?id=1401605
>
> I'm running with the patch proposed in that ticket and it has
> fixed the issue
> for me, so I know it works.
>
>
> Another (not recommended) option would be to put:
>
> echo "" | kinit usern...@fedoraproject.org
> 
>
>
> Better yet, save your password in gnome-keyring:
> keyring set login fedora
> And retrieve it for kinit:
> keyring get login fedora | kinit usern...@fedoraproject.org
> 
>
> (requires python-keyring and python-SecretStorage) 
>

Interesting tip. Thx.


Vít
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Vít Ondruch]

Dne 12.12.2016 v 16:02 Stephen Gallagher napsal(a):
> On 12/12/2016 04:53 AM, Vít Ondruch wrote:
>> So several questions:
>>
>> 1) When I have 2 domains I login to with kerberos, how to really make it
>> work. I don't want to kswitch all the time. I am using Kerberos to
>> authenticate my email client, so I want to keep it working all the time.
>>
> There are patches still coming that will switch the fedora packaging tools to
> use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
> right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk 
> (CCed)
> was looking into it.

I am probably missing something, but if I am not mistaken, the primary
ticket depends on order of my kinit calls and I am using several apps
which needs kerberos authentication, so I can hardly see how fedora
packaging tools changes can solve the major issue, i.e. if I do kinit
vondr...@fedoraproject.org, this ticket becomes the primary ...


>
>
>> 2) I needed to update a certificate every 6 months, now I need to kinit
>> every day. This is regression. How to make it work without kinit at all.
>> I am using SSSD for company kerberos and I don't need to kinit at all,
>> how to make this work for Fedora?
>>
> If you're using GNOME, it will be possible to have it save your TGT password 
> in
> GNOME Keyring and use GNOME Online Accounts to sign you in automatically when
> you log into your main account. However, there is currently a bug in it:
> https://bugzilla.redhat.com/show_bug.cgi?id=1401605

Tried that, hit the bug ... And it seems to be stuck for one week
already ...

>
> I'm running with the patch proposed in that ticket and it has fixed the issue
> for me, so I know it works.
>
>
> Another (not recommended) option would be to put:
>
> echo "" | kinit usern...@fedoraproject.org
>
> somewhere into your session-start scripts (but of course, this would require
> your password in plaintext somewhere).

heh :)


V.



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Chenxiong Qi]

On 12/12/2016 12:37 PM, Chenxiong Qi wrote:



On 12/12/2016 08:58 AM, Josh Boyer wrote:

On Sun, Dec 11, 2016 at 7:34 PM, Dennis Gilmore  wrote:

Greetings.

As previously announced, releng has made a number of changes as part of
it's 2016 "flag day".

All package maintainers will want to make sure they have updated to
the
following package versions (some may be in testing as of this email):

 python-cccolutils-1.4-1
 fedpkg-1.26-2


There will be a new build fedpkg-1.26-3 today, that
contains two fixes found during the testing.

https://pagure.io/fedpkg/c/28897b7f9365f36713b87eb475d721854f3abfa1?branch=master

https://pagure.io/fedpkg/c/4a5ea803d3fed49287f7feb4a750e86565d7?branch=master


Thanks Igor for fixing the issue.



New build fedpkg-1.26-3 is now available in Koji and bodhi process. This 
should work well with pkgs and Koji. Anyway, please have a try and test 
it in your workflow.



 fedora-packager-0.6.0.0-1
 pyrpkg-1.47-3
 koji-1.11.0-1


Note that only python-cccolutils is in stable for F25.  The rest are
all still in updates-testing.

josh
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org





--
Regards,
Chenxiong Qi
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 10:53:39 +0100
Vít Ondruch  wrote:

> So several questions:
> 
> 1) When I have 2 domains I login to with kerberos, how to really make
> it work. I don't want to kswitch all the time. I am using Kerberos to
> authenticate my email client, so I want to keep it working all the
> time.

Fedora should work just fine with other domains. It doesn't need to be
the primary. 

> 2) I needed to update a certificate every 6 months, now I need to
> kinit every day. This is regression. How to make it work without
> kinit at all. I am using SSSD for company kerberos and I don't need
> to kinit at all, how to make this work for Fedora?

I really wish people would stop using that word. 
https://ohjeezlinux.wordpress.com/2013/01/03/new-rule-about-regressions/

Anyhow, this is just a change in behavior that you don't like. 

First, I'll note you don't need to get a new ticket every day, you can
just renew with 'kinit -R'. I am not sure what env kinit needs, but you
may even be able to do this from a cron job. That will work for 1 week. 

As sgallagh noted downthread, gnome online accounts will hopefully
handle this for you soon as soon as that one bug is fixed. 

Finally, I'll note that these tickets are more powerfull than the old
certs. The certs controlled authentication to just koji and uploads,
while tickets allow you to login to almost all our web apps as well. 

kevin


pgp3PgomZjqiT.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Christopher]

On Mon, Dec 12, 2016 at 10:03 AM Stephen Gallagher 
wrote:

> On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> > So several questions:
> >
> > 1) When I have 2 domains I login to with kerberos, how to really make it
> > work. I don't want to kswitch all the time. I am using Kerberos to
> > authenticate my email client, so I want to keep it working all the time.
> >
>
> There are patches still coming that will switch the fedora packaging tools
> to
> use GSSAPI rather than Kerberos directly, which will handle auto-selecting
> the
> right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk
> (CCed)
> was looking into it.
>
>
> > 2) I needed to update a certificate every 6 months, now I need to kinit
> > every day. This is regression. How to make it work without kinit at all.
> > I am using SSSD for company kerberos and I don't need to kinit at all,
> > how to make this work for Fedora?
> >
>
> If you're using GNOME, it will be possible to have it save your TGT
> password in
> GNOME Keyring and use GNOME Online Accounts to sign you in automatically
> when
> you log into your main account. However, there is currently a bug in it:
> https://bugzilla.redhat.com/show_bug.cgi?id=1401605
>
> I'm running with the patch proposed in that ticket and it has fixed the
> issue
> for me, so I know it works.
>
>
> Another (not recommended) option would be to put:
>
> echo "" | kinit usern...@fedoraproject.org
>
>
Better yet, save your password in gnome-keyring:
keyring set login fedora
And retrieve it for kinit:
keyring get login fedora | kinit usern...@fedoraproject.org

(requires python-keyring and python-SecretStorage)

somewhere into your session-start scripts (but of course, this would require
> your password in plaintext somewhere).
>
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>
-- 
Christopher
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 11:49:47 -0500 (EST)
Petr Mensik  wrote:

> Sure, I am really missing this information written on the wiki page.
> The secret is, they are in the DNS record. If you try $ host -t URI
> _kerberos.fedoraproject.org
> 
> you might get it. But some DNS servers seem to have trouble with this
> record. As Red Hat defaults have dns_lookup_realm = false, we need
> manual configuration. I think there are more people like us. I think
> this should be mentioned on
> https://fedoraproject.org/wiki/Infrastructure/Kerberos:
> 
> [realms]
>  FEDORAPROJECT.ORG = {
>kdc = https://id.fedoraproject.org/KdcProxy
>  }
> [domain_realm]
>  fedoraproject.org = FEDORAPROJECT.ORG
>  .fedoraproject.org = FEDORAPROJECT.ORG

This is included in the fedora-packager-0.6.0 update. 

Make sure your /etc/krb5.conf has the include to include them
from /etc/krb5.conf.d/ though

kevin


pgp8EZ1OPP30P.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 16:36:24 +
Dave Love  wrote:

> Dennis Gilmore  writes:
> 
> > See the general kerberos information at: 
> > https://fedoraproject.org/wiki/Infrastructure_kerberos_authentication
> > for more details.  
> 
> I was going to try to authenticate, even if the tools won't work, but
> that's missing the fundamental information about how to configure the
> realm for clients.  What are the kdc(s) and admin_server (if
> admin_server is relevant)?

fedora-packager-0.6.0 includes:

/etc/krb5.conf.d/fedoraproject_org
and
/etc/krb5.conf.d/stg_fedoraproject_org

which contain: 

[realms]
 FEDORAPROJECT.ORG = {
kdc = https://id.fedoraproject.org/KdcProxy
 }
[domain_realm]
 .fedoraproject.org = FEDORAPROJECT.ORG
 fedoraproject.org = FEDORAPROJECT.ORG

and

[realms]
 STG.FEDORAPROJECT.ORG = {
kdc = https://id.stg.fedoraproject.org/KdcProxy
 }
[domain_realm]
 .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
 stg.fedoraproject.org = STG.FEDORAPROJECT.ORG

That said, autodetect should also work, so you shouldn't actually need
those I don't think. 

kevin


pgpUZVyXJOOqE.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 10:15:05 -0700
Kevin Fenzi  wrote:

> On Mon, 12 Dec 2016 16:22:06 +
> Dave Love  wrote:
> 
> > Dennis Gilmore  writes:
> >   
> > > Greetings. 
> > >
> > > As previously announced, releng has made a number of changes as
> > > part of it's 2016 "flag day". 
> > >
> > > All package maintainers will want to make sure they have updated
> > > to the 
> > > following package versions (some may be in testing as of this
> > > email):
> > >
> > >  python-cccolutils-1.4-1
> > 
> > "No package python-cccolutils available." from epel-testing (6 and
> > 7).  
> 
> Odd. It was added 12 days ago. 
> 
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-aae672950a
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-96a64de312
> 
> Ah, the actual package produced is python2-cccolutils (from the
> python-cccolutils package). 
> 
> python2-cccolutils.x86_64
> 1.4-1.el6 epel-testing 
> > >  fedpkg-1.26-2
> > 
> > That version isn't available, at least on RHEL6.  I haven't checked
> > further.  
> 
> Odd. I will inquire... 
>  
> > I was happy originally to be assured that this would work for those
> > of us who don't use Fedora.  Can we have an announcement if/when
> > things work on RHEL6, please.  
> 
> Well, it should just take the missing updates. I will try and see what
> happened to them... 

ok, what happened here is that there was a but in python-cccolutils
that needs fixing, then fedpkg and rpkg can be pushed out for epel6.

Hopefully that will occur today. 

kevin



pgp26J3eo3mcD.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 09:35:05 -0700
Jerry James  wrote:

> On F-26, I got python-cccolutils, and the new fedpkg and pyrpkg from
> updates-testing, but:
> 
> # rpm -q fedora-packager
> fedora-packager-0.5.10.7-3.fc25.noarch
> # rpm -q koji
> koji-1.10.1-13.fc25.noarch
> # dnf --enablerepo=updates-testing upgrade fedora-packager koji
> Last metadata expiration check: 0:16:39 ago on Mon Dec 12 09:13:41
> 2016. Dependencies resolved.
> Nothing to do.
> Complete!
> # dnf --enablerepo=updates-testing repoquery fedora-packager koji
> Last metadata expiration check: 0:16:52 ago on Mon Dec 12 09:13:41
> 2016. fedora-packager-0:0.5.10.7-3.fc25.noarch
> koji-0:1.10.1-13.fc25.noarch
> 
> It looks like those 2 packages are in some kind of limbo, where
> they've been yanked out of the updates-testing repository but haven't
> yet made it into the stable repository.  Perhaps for future flag days
> we could wait until all of the client side bits land in the stable
> repository before flipping the switch on the server side to require
> them?

Yeah, it seems that the package was unpushed (when it was in testing)
and resubmitted for stable, so it's no longer in testing. ;( 

It should go out stable today. 

In the ideal world I completely agree, and we hoped to have everything
in place by flag day, but we found a number of last minute issues which
we had to fix in the packages. 

kevin


pgpTpz09gnYL_.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 16:22:06 +
Dave Love  wrote:

> Dennis Gilmore  writes:
> 
> > Greetings. 
> >
> > As previously announced, releng has made a number of changes as
> > part of it's 2016 "flag day". 
> >
> > All package maintainers will want to make sure they have updated to
> > the 
> > following package versions (some may be in testing as of this
> > email):
> >
> >  python-cccolutils-1.4-1  
> 
> "No package python-cccolutils available." from epel-testing (6 and 7).

Odd. It was added 12 days ago. 

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-aae672950a
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-96a64de312

Ah, the actual package produced is python2-cccolutils (from the
python-cccolutils package). 

python2-cccolutils.x86_64 1.4-1.el6 
epel-testing
 
> >  fedpkg-1.26-2  
> 
> That version isn't available, at least on RHEL6.  I haven't checked
> further.

Odd. I will inquire... 
 
> I was happy originally to be assured that this would work for those of
> us who don't use Fedora.  Can we have an announcement if/when things
> work on RHEL6, please.

Well, it should just take the missing updates. I will try and see what
happened to them... 

kevin


pgp8x_5LP4u85.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Vít Ondruch]

Dne 12.12.2016 v 17:22 Dave Love napsal(a):
> Dennis Gilmore  writes:
>
>> Greetings. 
>>
>> As previously announced, releng has made a number of changes as part of
>> it's 2016 "flag day". 
>>
>> All package maintainers will want to make sure they have updated to
>> the 
>> following package versions (some may be in testing as of this email):
>>
>>  python-cccolutils-1.4-1
> "No package python-cccolutils available." from epel-testing (6 and 7).

```
$ rpm -q python-cccolutils
package python-cccolutils is not installed

$ rpm -q python2-cccolutils
python2-cccolutils-1.4-1.fc26.x86_64
```

The python-cccolutils is actually the source package name ...


Vít
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 14:20:47 +0100
Louis Lagendijk  wrote:

> With these updates I can kinit to my username. This almost works:
> 
> kinit llagend...@fedoraproject.org
> Password for llagend...@fedoraproject.org: 
> Password expired.  You must change it now.
> Enter new password: 
> Enter it again: 
> kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting
> initial credentials
> 
> After changing the password in FAS I can login. But it is strange that
> we use kerberos, but we cannot update the password

Please try again now. If it still doesn't work, please file an issue. 

(or just follow along on the same issue upthread). 

It is not at all surprising that it doesn't let you change the
password, as that is all done in FAS still. IPA only has a one way sync
on it. 

kevin


pgp2L93R2wt9k.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Kevin Fenzi]

On Mon, 12 Dec 2016 12:32:33 +
Paul Howarth  wrote:

> There's an extra "A" in there.

oops. so there is. :) Sorry about that.

> Anyway, it's not working for me and it's a different error than
> others are seeing:

...snip...

> I tried logging into FAS and that worked but didn't help. It didn't 
> prompt me to change password either. I don't know if the "password 
> expired" thing is the source or a symptom of the problem.

Can you try again now? We adjusted a few things... 

If it still doesn't work, can you open a new issue on it?
https://pagure.io/fedora-infrastructure/new_issue

Thanks. 

kevin


pgpO210EitVIV.pgp
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Petr Mensik]

Sure, I am really missing this information written on the wiki page. The secret 
is, they are in the DNS record. If you try 
$ host -t URI _kerberos.fedoraproject.org

you might get it. But some DNS servers seem to have trouble with this record. 
As Red Hat defaults have dns_lookup_realm = false, we need manual 
configuration. I think there are more people like us. I think this should be 
mentioned on https://fedoraproject.org/wiki/Infrastructure/Kerberos:

[realms]
 FEDORAPROJECT.ORG = {
   kdc = https://id.fedoraproject.org/KdcProxy
 }
[domain_realm]
 fedoraproject.org = FEDORAPROJECT.ORG
 .fedoraproject.org = FEDORAPROJECT.ORG


--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973


- Original Message -
From: "Dave Love" <d.l...@liverpool.ac.uk>
To: devel@lists.fedoraproject.org
Sent: Monday, December 12, 2016 5:36:24 PM
Subject: Re: Packagers - Flag day 2016 Important changes

Dennis Gilmore <den...@ausil.us> writes:

> See the general kerberos information at: 
> https://fedoraproject.org/wiki/Infrastructure_kerberos_authentication
> for more details.

I was going to try to authenticate, even if the tools won't work, but
that's missing the fundamental information about how to configure the
realm for clients.  What are the kdc(s) and admin_server (if
admin_server is relevant)?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Dennis Gilmore  writes:

> See the general kerberos information at: 
> https://fedoraproject.org/wiki/Infrastructure_kerberos_authentication
> for more details.

I was going to try to authenticate, even if the tools won't work, but
that's missing the fundamental information about how to configure the
realm for clients.  What are the kdc(s) and admin_server (if
admin_server is relevant)?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Jerry James]

On Mon, Dec 12, 2016 at 9:22 AM, Dave Love  wrote:
>> All package maintainers will want to make sure they have updated to
>> the
>> following package versions (some may be in testing as of this email):
>>
>>  python-cccolutils-1.4-1
>
> "No package python-cccolutils available." from epel-testing (6 and 7).
>
>>  fedpkg-1.26-2
>
> That version isn't available, at least on RHEL6.  I haven't checked
> further.
>
> I was happy originally to be assured that this would work for those of
> us who don't use Fedora.  Can we have an announcement if/when things
> work on RHEL6, please.

On F-26, I got python-cccolutils, and the new fedpkg and pyrpkg from
updates-testing, but:

# rpm -q fedora-packager
fedora-packager-0.5.10.7-3.fc25.noarch
# rpm -q koji
koji-1.10.1-13.fc25.noarch
# dnf --enablerepo=updates-testing upgrade fedora-packager koji
Last metadata expiration check: 0:16:39 ago on Mon Dec 12 09:13:41 2016.
Dependencies resolved.
Nothing to do.
Complete!
# dnf --enablerepo=updates-testing repoquery fedora-packager koji
Last metadata expiration check: 0:16:52 ago on Mon Dec 12 09:13:41 2016.
fedora-packager-0:0.5.10.7-3.fc25.noarch
koji-0:1.10.1-13.fc25.noarch

It looks like those 2 packages are in some kind of limbo, where
they've been yanked out of the updates-testing repository but haven't
yet made it into the stable repository.  Perhaps for future flag days
we could wait until all of the client side bits land in the stable
repository before flipping the switch on the server side to require
them?
-- 
Jerry James
http://www.jamezone.org/
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Dave Love]

Dennis Gilmore  writes:

> Greetings. 
>
> As previously announced, releng has made a number of changes as part of
> it's 2016 "flag day". 
>
> All package maintainers will want to make sure they have updated to
> the 
> following package versions (some may be in testing as of this email):
>
>  python-cccolutils-1.4-1

"No package python-cccolutils available." from epel-testing (6 and 7).

>  fedpkg-1.26-2

That version isn't available, at least on RHEL6.  I haven't checked
further.

I was happy originally to be assured that this would work for those of
us who don't use Fedora.  Can we have an announcement if/when things
work on RHEL6, please.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Jaroslav Skarvada]

- Original Message -
> 
> 
> - Original Message -
> > Hi,
> > 
> > Jaroslav wrote:
> >  > It still doesn't work for me:
> >  >
> >  > $ fedpkg scratch-build
> >  > Could not execute scratch_build: (-1765328370, 'KDC has no support for
> >  > encryption
> >  > type')
> >  >
> >  > $ klist
> >  > Default principal: jskarvad(a)FEDORAPROJECT.ORG
> >  >
> >  > Valid starting   Expires  Service principal
> >  > 12.12.2016 10:21:53  13.12.2016 10:21:48
> >  > krbtgt/FEDORAPROJECT.ORG(a)FEDORAPROJECT.ORG
> >  >  renew until 19.12.2016 10:21:48
> >  >
> >  > fedora-cert.noarch 0.6.0.0-1.fc24fedora-packager.noarch
> >  > 0.6.0.0-1.fc24
> >  > fedpkg.noarch 1.26-2.fc24koji.noarch 1.11.0-1.fc24
> >  > pyrpkg.noarch 1.47-3.fc24python2-cccolutils.x86_64
> >  > 1.4-1.fc24
> >  >
> >  > Not counting that the packages are available only through
> >  > updates-testing
> >  > in f24
> > 
> > I was getting the same error, I managed to fix it by creating a:
> > 
> > /etc/krb5.conf.d/redhat_com
> > 
> > With the following:
> > 
> > [realms]
> >   REDHAT.COM = {
> >kdc = $redhat_kdc
> >admin_server = $redhat_admin_server
> >default_domain = redhat.com
> >   }
> > 
> > [domain_realm]
> >   .redhat.com = REDHAT.COM
> >   redhat.com = REDHAT.COM
> > 
> > In there, with $redhat_kdc / $redhat_admin_server replaced with what
> > you've for these in your krb5.conf now.
> > 
> > And then replacing /etc/krb5.conf with the default one from the krb5-libs
> > package. After this you will need to redo kinit for both accounts, but then
> > it works.
> > 
> > Regards,
> > 
> > Hans
> 
> Hi Hans,
> 
> thanks for info, but it didn't help. Still the same error, even after
> removing /etc/krb5.conf.d/redhat_com
> 
> Jaroslav
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> 

I had custom ~/.k5identity, problem resolved by upgrade to
pyrpkg-1.47-4.fc24.noarch

thanks & regards

Jaroslav
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Patrick マルタインアンドレアス Uiterwijk]

> On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> 
> There are patches still coming that will switch the fedora packaging tools to
> use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
> right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk 
> (CCed)
> was looking into it.

This is live in production, and the code is in koji-1.11.0, so updating to that 
will make
automatic selection work.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Stephen Gallagher]

On 12/12/2016 04:53 AM, Vít Ondruch wrote:
> So several questions:
> 
> 1) When I have 2 domains I login to with kerberos, how to really make it
> work. I don't want to kswitch all the time. I am using Kerberos to
> authenticate my email client, so I want to keep it working all the time.
> 

There are patches still coming that will switch the fedora packaging tools to
use GSSAPI rather than Kerberos directly, which will handle auto-selecting the
right TGT. I'm not sure what the status is on this, but Patrick Uiterwijk (CCed)
was looking into it.


> 2) I needed to update a certificate every 6 months, now I need to kinit
> every day. This is regression. How to make it work without kinit at all.
> I am using SSSD for company kerberos and I don't need to kinit at all,
> how to make this work for Fedora?
> 

If you're using GNOME, it will be possible to have it save your TGT password in
GNOME Keyring and use GNOME Online Accounts to sign you in automatically when
you log into your main account. However, there is currently a bug in it:
https://bugzilla.redhat.com/show_bug.cgi?id=1401605

I'm running with the patch proposed in that ticket and it has fixed the issue
for me, so I know it works.


Another (not recommended) option would be to put:

echo "" | kinit usern...@fedoraproject.org

somewhere into your session-start scripts (but of course, this would require
your password in plaintext somewhere).



signature.asc
Description: OpenPGP digital signature
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Louis Lagendijk]

On Sun, 2016-12-11 at 18:34 -0600, Dennis Gilmore wrote:
> Greetings. 
> 
> As previously announced, releng has made a number of changes as part
> of
> it's 2016 "flag day". 
> 
> All package maintainers will want to make sure they have updated to
> the 
> following package versions (some may be in testing as of this email):
> 
>  python-cccolutils-1.4-1
>  fedpkg-1.26-2
>  fedora-packager-0.6.0.0-1
>  pyrpkg-1.47-3
>  koji-1.11.0-1
> 
With these updates I can kinit to my username. This almost works:

kinit llagend...@fedoraproject.org
Password for llagend...@fedoraproject.org: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting
initial credentials

After changing the password in FAS I can login. But it is strange that
we use kerberos, but we cannot update the password
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Ralf Corsepius]

On 12/12/2016 12:35 PM, Ralf Corsepius wrote:

On 12/12/2016 01:34 AM, Dennis Gilmore wrote:

Greetings.

As previously announced, releng has made a number of changes as part of
it's 2016 "flag day".



https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016


For me, builds now are failing with weird errors:

cf. https://koji.fedoraproject.org/koji/taskinfo?taskID=16851705


A subsequent build, a couple of minutes later seems to have succeeded.


But the next build-breakdown followed:
https://koji.fedoraproject.org/koji/taskinfo?taskID=16852752


From 
https://kojipkgs.fedoraproject.org//work/tasks/2753/16852753/mock_output.log

...
Parallel-Scoreboard-0.08.tar.gz: FAILED
sha512sum: WARNING: 1 computed checksum did NOT match
...

Seems to me, as if the f25 builders can't properly grok the new 
sources/sha512sums.


Ralf
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Paul Howarth]

On 2016-12-12 00:34, Dennis Gilmore wrote:

Greetings. 

As previously announced, releng has made a number of changes as part of
it's 2016 "flag day". 

All package maintainers will want to make sure they have updated to
the 
following package versions (some may be in testing as of this email):

 python-cccolutils-1.4-1
 fedpkg-1.26-2
 fedora-packager-0.6.0.0-1
 pyrpkg-1.47-3
 koji-1.11.0-1

Please also see the following links for up to date information: 

https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016

The following changes were made:

* koji and the source lookaside were changed to use kerberos
authentication
instead of ssl certificates. All maintainers will need to:

kinit your-fas-accountn...@fedoraaproject.org


There's an extra "A" in there.

Anyway, it's not working for me and it's a different error than others 
are seeing:


$ KRB5_TRACE=/dev/stdout kinit pghm...@fedoraproject.org
[27827] 1481545109.731971: Getting initial credentials for 
pghm...@fedoraproject.org
[27827] 1481545109.732034: Sending request (198 bytes) to 
FEDORAPROJECT.ORG

[27827] 1481545109.732115: Resolving hostname id.fedoraproject.org
[27827] 1481545109.822525: TLS certificate name matched 
"id.fedoraproject.org"
[27827] 1481545109.854766: Sending HTTPS request to https 
2001:4178:2:1269::fed2:443
[27827] 1481545110.569521: Received answer (192 bytes) from https 
2001:4178:2:1269::fed2:443
[27827] 1481545110.569530: Terminating TCP connection to https 
2001:4178:2:1269::fed2:443

[27827] 1481545110.570113: Response was not from master KDC
[27827] 1481545110.570138: Received error from KDC: -1765328361/Password 
has expired

[27827] 1481545110.570145: Retrying AS request with master KDC
[27827] 1481545110.570148: Getting initial credentials for 
pghm...@fedoraproject.org
[27827] 1481545110.570190: Sending request (198 bytes) to 
FEDORAPROJECT.ORG (master)

[27827] 1481545110.570781: Principal expired; getting changepw ticket
[27827] 1481545110.570788: Getting initial credentials for 
pghm...@fedoraproject.org
[27827] 1481545110.570807: Setting initial creds service to 
kadmin/changepw
[27827] 1481545110.570821: Sending request (170 bytes) to 
FEDORAPROJECT.ORG

[27827] 1481545110.570832: Resolving hostname id.fedoraproject.org
[27827] 1481545110.664742: TLS certificate name matched 
"id.fedoraproject.org"
[27827] 1481545110.697029: Sending HTTPS request to https 
2001:4178:2:1269::fed2:443
[27827] 1481545111.424567: Received answer (265 bytes) from https 
2001:4178:2:1269::fed2:443
[27827] 1481545111.424576: Terminating TCP connection to https 
2001:4178:2:1269::fed2:443

[27827] 1481545111.425176: Response was not from master KDC
[27827] 1481545111.425191: Received error from KDC: 
-1765328359/Additional pre-authentication required

[27827] 1481545111.425237: Processing preauth types: 136, 19, 2, 133
[27827] 1481545111.425240: Selected etype info: etype aes256-cts, salt 
"-8?z9]S;Kc ?!en@", params ""

[27827] 1481545111.425243: Received cookie: MIT
Password for pghm...@fedoraproject.org:
[27827] 1481545118.11305: AS key obtained for encrypted timestamp: 
aes256-cts/08C0
[27827] 1481545118.11332: Encrypted timestamp (for 1481545117.893053): 
plain 301AA011180F32303136313231323132313833375AA105020
30DA07D, encrypted 
E16FD65250AA2EFF0BD08D498BC6BA6B914C548CB3D4CC87581D4DF6BAC457734C5B918FE2ED255C4408112F35118B7752C9A95C3EF

BDC70
[27827] 1481545118.11343: Preauth module encrypted_timestamp (2) (real) 
returned: 0/Success

[27827] 1481545118.11345: Produced preauth for next request: 133, 2
[27827] 1481545118.11357: Sending request (265 bytes) to 
FEDORAPROJECT.ORG

[27827] 1481545118.11380: Resolving hostname id.fedoraproject.org
[27827] 1481545118.103859: TLS certificate name matched 
"id.fedoraproject.org"
[27827] 1481545118.136932: Sending HTTPS request to https 
2001:4178:2:1269::fed2:443
[27827] 1481545118.895882: Received answer (748 bytes) from https 
2001:4178:2:1269::fed2:443
[27827] 1481545118.895890: Terminating TCP connection to https 
2001:4178:2:1269::fed2:443

[27827] 1481545118.896445: Response was not from master KDC
[27827] 1481545118.896469: Processing preauth types: 19
[27827] 1481545118.896474: Selected etype info: etype aes256-cts, salt 
"-8?z9]S;Kc ?!en@", params ""

[27827] 1481545118.896478: Produced preauth for next request: (empty)
[27827] 1481545118.896483: AS key determined by preauth: aes256-cts/08C0
[27827] 1481545118.896501: Decrypted AS reply; session key is: 
aes256-cts/0DA7

[27827] 1481545118.896507: FAST negotiation: available
[27827] 1481545118.896523: Attempting password change; 3 tries remaining
Password expired.  You must change it now.
Enter new password:
Enter it again:
[27827] 1481545129.754725: Creating authenticator for 
pghm...@fedoraproject.org -> kadmin/chang...@fedoraproject.org, seqnum 0

, subkey aes256-cts/D9E0, session key aes256-cts/0DA7
kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting 
initial credentials

$

I tried 

Re: Packagers - Flag day 2016 Important changes

[Ralf Corsepius]

On 12/12/2016 01:34 AM, Dennis Gilmore wrote:

Greetings.

As previously announced, releng has made a number of changes as part of
it's 2016 "flag day".



https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016


For me, builds now are failing with weird errors:

cf. https://koji.fedoraproject.org/koji/taskinfo?taskID=16851705

Ralf
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Jaroslav Skarvada]

- Original Message -
> Mike McLean  wrote:
> 
> > 1) make sure your krb5.conf has:
> > includedir /etc/krb5.conf.d/
> 
> Should there be something in there other than a crypto-policies symlink?
> 
> David
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> 

Yes, it's there, I got the ticket OK, it's fedpkg which is failing for
me, the following:

$ koji build --scratch f26 $(fedpkg giturl)

works, but:

$ fedpkg scratch-build

doesn't. I commented to:
https://pagure.io/fedora-infrastructure/issue/5614

Jaroslav
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[Jaroslav Skarvada]

- Original Message -
> Hi,
> 
> Jaroslav wrote:
>  > It still doesn't work for me:
>  >
>  > $ fedpkg scratch-build
>  > Could not execute scratch_build: (-1765328370, 'KDC has no support for
>  > encryption
>  > type')
>  >
>  > $ klist
>  > Default principal: jskarvad(a)FEDORAPROJECT.ORG
>  >
>  > Valid starting   Expires  Service principal
>  > 12.12.2016 10:21:53  13.12.2016 10:21:48
>  > krbtgt/FEDORAPROJECT.ORG(a)FEDORAPROJECT.ORG
>  >renew until 19.12.2016 10:21:48
>  >
>  > fedora-cert.noarch 0.6.0.0-1.fc24fedora-packager.noarch 0.6.0.0-1.fc24
>  > fedpkg.noarch 1.26-2.fc24koji.noarch 1.11.0-1.fc24
>  > pyrpkg.noarch 1.47-3.fc24python2-cccolutils.x86_64 1.4-1.fc24
>  >
>  > Not counting that the packages are available only through updates-testing
>  > in f24
> 
> I was getting the same error, I managed to fix it by creating a:
> 
> /etc/krb5.conf.d/redhat_com
> 
> With the following:
> 
> [realms]
>   REDHAT.COM = {
>kdc = $redhat_kdc
>admin_server = $redhat_admin_server
>default_domain = redhat.com
>   }
> 
> [domain_realm]
>   .redhat.com = REDHAT.COM
>   redhat.com = REDHAT.COM
> 
> In there, with $redhat_kdc / $redhat_admin_server replaced with what
> you've for these in your krb5.conf now.
> 
> And then replacing /etc/krb5.conf with the default one from the krb5-libs
> package. After this you will need to redo kinit for both accounts, but then
> it works.
> 
> Regards,
> 
> Hans

Hi Hans,

thanks for info, but it didn't help. Still the same error, even after
removing /etc/krb5.conf.d/redhat_com

Jaroslav
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: Packagers - Flag day 2016 Important changes

[David Howells]

Mike McLean  wrote:

> 1) make sure your krb5.conf has:
> includedir /etc/krb5.conf.d/

Should there be something in there other than a crypto-policies symlink?

David
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org