fedora-infrastructure

Clone
Source Code
GIT

#10225 Can't login to koji with kerberos ticket
Closed: Invalid 2 years ago by mobrien. Opened 2 years ago by nhosoi.

Closed: Invalid
Reopen Issue

Problem Description

My attempt to login koji fails as follows.

$ kinit nhosoi@FEDORAPROJECT.ORG
$ klist -A
Ticket cache: KCM:1000
Default principal: nhosoi@FEDORAPROJECT.ORG
Valid starting       Expires              Service principal
09/19/2021 14:07:12  09/20/2021 14:06:59  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
$ koji hello
[179880] 1632085694.164004: ccselect module realm chose cache KCM:1000 with client principal nhosoi@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG
[179880] 1632085694.164005: Getting credentials nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG using ccache KCM:1000
[179880] 1632085694.164006: Retrieving nhosoi@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found
[179880] 1632085694.164007: Retrieving nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG from KCM:1000 with result: -1765328243/Matching credential not found
[179880] 1632085694.164008: Retrieving nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KCM:1000 with result: 0/Success
[179880] 1632085694.164009: Starting with TGT for client realm: nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[179880] 1632085694.164010: Requesting tickets for HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[179880] 1632085694.164011: Generated subkey for TGS request: aes256-cts/5C54
[179880] 1632085694.164012: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts
[179880] 1632085694.164014: Encoding request body and padata into FAST request
[179880] 1632085694.164015: Sending request (985 bytes) to FEDORAPROJECT.ORG
[179880] 1632085694.164016: Resolving hostname id.fedoraproject.org
[179880] 1632085694.164017: TLS certificate name matched "id.fedoraproject.org"
[179880] 1632085694.164018: Sending HTTPS request to https 152.19.134.142:443
[179880] 1632085695.203343: Received answer (479 bytes) from https 152.19.134.142:443
[179880] 1632085695.203344: Terminating TCP connection to https 152.19.134.142:443
[179880] 1632085695.203345: Response was not from primary KDC
[179880] 1632085695.203346: Decoding FAST response
[179880] 1632085695.203347: TGS request result: -1765328377/Server HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[179880] 1632085695.203348: Requesting tickets for HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[179880] 1632085695.203349: Generated subkey for TGS request: aes256-cts/D2E3
[179880] 1632085695.203350: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts
[179880] 1632085695.203352: Encoding request body and padata into FAST request
[179880] 1632085695.203353: Sending request (985 bytes) to FEDORAPROJECT.ORG
[179880] 1632085695.203354: Resolving hostname id.fedoraproject.org
[179880] 1632085695.203355: TLS certificate name matched "id.fedoraproject.org"
[179880] 1632085695.203356: Sending HTTPS request to https 152.19.134.142:443
[179880] 1632085695.203357: Received answer (479 bytes) from https 152.19.134.142:443
[179880] 1632085695.203358: Terminating TCP connection to https 152.19.134.142:443
[179880] 1632085695.203359: Response was not from primary KDC
[179880] 1632085695.203360: Decoding FAST response
[179880] 1632085695.203361: TGS request result: -1765328377/Server HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[179880] 1632085696.004812: ccselect module realm chose cache KCM:1000 with client principal nhosoi@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG
[179880] 1632085696.004813: Getting credentials nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache KCM:1000
[179880] 1632085696.004814: Retrieving nhosoi@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found
[179880] 1632085696.004815: Retrieving nhosoi@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from KCM:1000 with result: -1765328243/Matching credential not found
[179880] 1632085696.004816: Retrieving nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KCM:1000 with result: 0/Success
[179880] 1632085696.004817: Starting with TGT for client realm: nhosoi@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[179880] 1632085696.004818: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[179880] 1632085696.004819: Generated subkey for TGS request: aes256-cts/343E
[179880] 1632085696.004820: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts
[179880] 1632085696.004822: Encoding request body and padata into FAST request
[179880] 1632085696.004823: Sending request (984 bytes) to FEDORAPROJECT.ORG
[179880] 1632085696.004824: Resolving hostname id.fedoraproject.org
[179880] 1632085696.004825: TLS certificate name matched "id.fedoraproject.org"
[179880] 1632085696.004826: Sending HTTPS request to https 140.211.169.196:443
[179880] 1632085696.004827: Received answer (479 bytes) from https 140.211.169.196:443
[179880] 1632085696.004828: Terminating TCP connection to https 140.211.169.196:443
[179880] 1632085696.004829: Response was not from primary KDC
[179880] 1632085696.004830: Decoding FAST response
[179880] 1632085696.004831: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[179880] 1632085696.004832: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[179880] 1632085696.004833: Generated subkey for TGS request: aes256-cts/4D07
[179880] 1632085696.004834: etypes requested in TGS request: aes256-cts, aes256-sha2, camellia256-cts, aes128-sha2, aes128-cts, camellia128-cts
[179880] 1632085696.004836: Encoding request body and padata into FAST request
[179880] 1632085696.004837: Sending request (984 bytes) to FEDORAPROJECT.ORG
[179880] 1632085696.004838: Resolving hostname id.fedoraproject.org
[179880] 1632085697.638624: TLS certificate name matched "id.fedoraproject.org"
[179880] 1632085697.638625: Sending HTTPS request to https 140.211.169.196:443
[179880] 1632085698.047384: Received answer (479 bytes) from https 140.211.169.196:443
[179880] 1632085698.047385: Terminating TCP connection to https 140.211.169.196:443
[179880] 1632085698.047386: Response was not from primary KDC
[179880] 1632085698.047387: Decoding FAST response
[179880] 1632085698.047388: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
2021-09-19 14:08:18,089 [ERROR] koji: (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin)
Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/
2021-09-19 14:08:18,093 [ERROR] koji: GSSAPIAuthError: unable to obtain a session (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin)
Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/

Please note that I don't set rdns in my krb5.conf:

$ grep rdns /etc/krb5.conf /etc/krb5.conf.d/*
$

It used to work before, a couple of months ago, but it does not any more...

When do you need this to be done by?

Actually, ASAP. I need to login to koji to debug linux-system-roles spec file...

Thanks for your help, in advance!

Please do try setting: 

rdns = false

under [libdefaults] in /etc/krb5.conf

Thank you, @kevin. It worked! I could run fedpkg scratch build.

Now, I'm running the centos scratch build and getting the similar auth failure. Do you have any idea what is wrong?

$ centpkg build --scratch --srpm linux-system-roles-1.8.3-2.el9.src.rpm
<<snip>>
[183327] 1632101092.054486: TLS certificate name matched "id.fedoraproject.org"
[183327] 1632101092.054487: Sending HTTPS request to https 152.19.134.198:443
[183327] 1632101093.050365: Received answer (461 bytes) from https 152.19.134.198:443
[183327] 1632101093.050366: Terminating TCP connection to https 152.19.134.198:443
[183327] 1632101093.050367: Response was not from primary KDC
[183327] 1632101093.050368: Decoding FAST response
[183327] 1632101093.050369: TGS request result: -1765328377/Server HTTP/lbs.stream.centos.org@FEDORAPROJECT.ORG not found in Kerberos database
(gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://kojihub.stream.centos.org/kojihub/ssllogin)
Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/
Kerberos authentication fails: unable to obtain a session (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://kojihub.stream.centos.org/kojihub/ssllogin)
Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/
Could not execute build: Could not login to https://kojihub.stream.centos.org/kojihub

Unfortunately you cannot build against Stream with a Fedora project login. You will need to contact the internal Stream team directly for permissions to build.

Metadata Update from @mobrien:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
Needs Review
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.