#5612 401 Unauthorized when upload to stg lookaside
Closed: Fixed 2 years ago Opened 2 years ago by cqi.

I tested fedpkg-stage in a Fedora 25 docker container, and only initialized my credential.

[root@b286074d97b0 fedpkg]# fedpkg-stage new-sources fedpkg-1.25.tar.bz2
Could not execute new_sources: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
[root@b286074d97b0 fedpkg]# kinit cqi@FEDORAPROJECT.ORG
Password for cqi@FEDORAPROJECT.ORG: 
[root@b286074d97b0 fedpkg]# klist -l
Principal name                 Cache name
--------------                 ----------
cqi@FEDORAPROJECT.ORG          FILE:/tmp/krb5cc_0
[root@b286074d97b0 fedpkg]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cqi@FEDORAPROJECT.ORG

Valid starting     Expires            Service principal
12/12/16 01:34:38  12/13/16 01:34:32  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
        renew until 12/19/16 01:34:32

For stg you want to kinit cqi@STG.FEDORAPROJECT.ORG

if you do that does it work?

Ah, I should use this realm. Now, I get

[root@b286074d97b0 fedpkg]# kinit cqi@STG.FEDORAPROJECT.ORG
kinit: Client 'cqi@STG.FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

For that, you need to login to staging fas so it syncs you to ipa.

Go to https://admin.stg.fedoraproject.org/accounts and login, then wait a minute and try kinit again.

Hi @kevin

It's been a while. Still doesn't work. I'm using the configuration in my /etc/krb5.conf.

https://pagure.io/fedora-packager/blob/master/f/krb-configs/stg_fedoraproject_org

Hope this could be helpful

[root@b286074d97b0 fedpkg]# KRB5_TRACE=/dev/stdout kinit cqi@STG.FEDORAPROJECT.ORG
[16070] 1481510956.532808: Getting initial credentials for cqi@STG.FEDORAPROJECT.ORG
[16070] 1481510956.532928: Sending request (202 bytes) to STG.FEDORAPROJECT.ORG
[16070] 1481510956.533092: Resolving hostname id.stg.fedoraproject.org
[16070] 1481510957.94316: TLS certificate name matched "id.stg.fedoraproject.org"
[16070] 1481510957.378332: Sending HTTPS request to https 209.132.181.5:443
[16070] 1481510957.690963: Received answer (198 bytes) from https 209.132.181.5:443
[16070] 1481510957.690982: Terminating TCP connection to https 209.132.181.5:443
[16070] 1481510957.692242: Response was not from master KDC
[16070] 1481510957.692282: Received error from KDC: -1765328378/Client not found in Kerberos database
[16070] 1481510957.692318: Retrying AS request with master KDC
[16070] 1481510957.692325: Getting initial credentials for cqi@STG.FEDORAPROJECT.ORG
[16070] 1481510957.692382: Sending request (202 bytes) to STG.FEDORAPROJECT.ORG (master)
kinit: Client 'cqi@STG.FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

@puiterwijk

It works now. However, 500 happens.

[root@b286074d97b0 fedpkg]# fedpkg-stage -d -v new-sources fedpkg-1.25.tar.bz2
Creating repo object from /root/fedpkg
Uploading: fedpkg-1.25.tar.bz2
######################################################################## 100.0%
Status: 500 Internal Server Error
Content-type: text/plain

[Errno 30] Read-only file system: '/srv/cache/lookaside/pkgs/fedpkg/tmpC06bkH07ed753f5af7138549d7dfb620451dac3265ccb1089c1a7455825b1298f2a3c84327ed17e18b621006d8078188fb508857ea2cef31b18f68143ac4a2d44a488d'
Source upload succeeded. Don't forget to commit the sources file

Right, that's a quirk of the staging environment at this moment, since it's being used by the modularity people.
However, the fact that you got that, means that the upload itself would have succeeded.
So it depends on what you want to test, but it might be that it already worked.

Yeah, we would need to talk to the modularity folks about switching that if needed.

:crocodile:

@kevin changed the status to Closed

2 years ago

Login to comment on this ticket.

Metadata