My attempt to login koji fails as follows.
$ kinit nhosoi@FEDORAPROJECT.ORG $ klist -A Ticket cache: KCM:1000 Default principal: nhosoi@FEDORAPROJECT.ORG Valid starting Expires Service principal 09/19/2021 14:07:12 09/20/2021 14:06:59 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG $ koji hello [179880] 1632085694.164004: ccselect module realm chose cache KCM:1000 with client principal nhosoi@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG [179880] 1632085694.164005: Getting credentials nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG using ccache KCM:1000 [179880] 1632085694.164006: Retrieving nhosoi@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found [179880] 1632085694.164007: Retrieving nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG from KCM:1000 with result: -1765328243/Matching credential not found [179880] 1632085694.164008: Retrieving nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KCM:1000 with result: 0/Success [179880] 1632085694.164009: Starting with TGT for client realm: nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG [179880] 1632085694.164010: Requesting tickets for HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG, referrals on [179880] 1632085694.164011: Generated subkey for TGS request: aes256-cts/5C54 [179880] 1632085694.164012: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts [179880] 1632085694.164014: Encoding request body and padata into FAST request [179880] 1632085694.164015: Sending request (985 bytes) to FEDORAPROJECT.ORG [179880] 1632085694.164016: Resolving hostname id.fedoraproject.org [179880] 1632085694.164017: TLS certificate name matched "id.fedoraproject.org" [179880] 1632085694.164018: Sending HTTPS request to https 152.19.134.142:443 [179880] 1632085695.203343: Received answer (479 bytes) from https 152.19.134.142:443 [179880] 1632085695.203344: Terminating TCP connection to https 152.19.134.142:443 [179880] 1632085695.203345: Response was not from primary KDC [179880] 1632085695.203346: Decoding FAST response [179880] 1632085695.203347: TGS request result: -1765328377/Server HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database [179880] 1632085695.203348: Requesting tickets for HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG, referrals off [179880] 1632085695.203349: Generated subkey for TGS request: aes256-cts/D2E3 [179880] 1632085695.203350: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts [179880] 1632085695.203352: Encoding request body and padata into FAST request [179880] 1632085695.203353: Sending request (985 bytes) to FEDORAPROJECT.ORG [179880] 1632085695.203354: Resolving hostname id.fedoraproject.org [179880] 1632085695.203355: TLS certificate name matched "id.fedoraproject.org" [179880] 1632085695.203356: Sending HTTPS request to https 152.19.134.142:443 [179880] 1632085695.203357: Received answer (479 bytes) from https 152.19.134.142:443 [179880] 1632085695.203358: Terminating TCP connection to https 152.19.134.142:443 [179880] 1632085695.203359: Response was not from primary KDC [179880] 1632085695.203360: Decoding FAST response [179880] 1632085695.203361: TGS request result: -1765328377/Server HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database [179880] 1632085696.004812: ccselect module realm chose cache KCM:1000 with client principal nhosoi@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG [179880] 1632085696.004813: Getting credentials nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache KCM:1000 [179880] 1632085696.004814: Retrieving nhosoi@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found [179880] 1632085696.004815: Retrieving nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from KCM:1000 with result: -1765328243/Matching credential not found [179880] 1632085696.004816: Retrieving nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KCM:1000 with result: 0/Success [179880] 1632085696.004817: Starting with TGT for client realm: nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG [179880] 1632085696.004818: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on [179880] 1632085696.004819: Generated subkey for TGS request: aes256-cts/343E [179880] 1632085696.004820: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts [179880] 1632085696.004822: Encoding request body and padata into FAST request [179880] 1632085696.004823: Sending request (984 bytes) to FEDORAPROJECT.ORG [179880] 1632085696.004824: Resolving hostname id.fedoraproject.org [179880] 1632085696.004825: TLS certificate name matched "id.fedoraproject.org" [179880] 1632085696.004826: Sending HTTPS request to https 140.211.169.196:443 [179880] 1632085696.004827: Received answer (479 bytes) from https 140.211.169.196:443 [179880] 1632085696.004828: Terminating TCP connection to https 140.211.169.196:443 [179880] 1632085696.004829: Response was not from primary KDC [179880] 1632085696.004830: Decoding FAST response [179880] 1632085696.004831: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database [179880] 1632085696.004832: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off [179880] 1632085696.004833: Generated subkey for TGS request: aes256-cts/4D07 [179880] 1632085696.004834: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts [179880] 1632085696.004836: Encoding request body and padata into FAST request [179880] 1632085696.004837: Sending request (984 bytes) to FEDORAPROJECT.ORG [179880] 1632085696.004838: Resolving hostname id.fedoraproject.org [179880] 1632085697.638624: TLS certificate name matched "id.fedoraproject.org" [179880] 1632085697.638625: Sending HTTPS request to https 140.211.169.196:443 [179880] 1632085698.047384: Received answer (479 bytes) from https 140.211.169.196:443 [179880] 1632085698.047385: Terminating TCP connection to https 140.211.169.196:443 [179880] 1632085698.047386: Response was not from primary KDC [179880] 1632085698.047387: Decoding FAST response [179880] 1632085698.047388: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database 2021-09-19 14:08:18,089 [ERROR] koji: (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin) Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/ 2021-09-19 14:08:18,093 [ERROR] koji: GSSAPIAuthError: unable to obtain a session (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin) Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/
Please note that I don't set rdns in my krb5.conf:
$ grep rdns /etc/krb5.conf /etc/krb5.conf.d/* $
It used to work before, a couple of months ago, but it does not any more...
Actually, ASAP. I need to login to koji to debug linux-system-roles spec file...
Thanks for your help, in advance!
Please do try setting:
rdns = false
under [libdefaults] in /etc/krb5.conf
Thank you, @kevin. It worked! I could run fedpkg scratch build.
Now, I'm running the centos scratch build and getting the similar auth failure. Do you have any idea what is wrong?
$ centpkg build --scratch --srpm linux-system-roles-1.8.3-2.el9.src.rpm <<snip>> [183327] 1632101092.054486: TLS certificate name matched "id.fedoraproject.org" [183327] 1632101092.054487: Sending HTTPS request to https 152.19.134.198:443 [183327] 1632101093.050365: Received answer (461 bytes) from https 152.19.134.198:443 [183327] 1632101093.050366: Terminating TCP connection to https 152.19.134.198:443 [183327] 1632101093.050367: Response was not from primary KDC [183327] 1632101093.050368: Decoding FAST response [183327] 1632101093.050369: TGS request result: -1765328377/Server HTTP/lbs.stream.centos.org@FEDORAPROJECT.ORG not found in Kerberos database (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://kojihub.stream.centos.org/kojihub/ssllogin) Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/ Kerberos authentication fails: unable to obtain a session (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://kojihub.stream.centos.org/kojihub/ssllogin) Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/ Could not execute build: Could not login to https://kojihub.stream.centos.org/kojihub
Unfortunately you cannot build against Stream with a Fedora project login. You will need to contact the internal Stream team directly for permissions to build.
Metadata Update from @mobrien: - Issue close_status updated to: Invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.