fedora-infrastructure

Clone
Source Code
GIT

#5637 can't kinit (can't upload new sources)
Closed: Fixed 7 years ago Opened 7 years ago by kvolny.

Closed: Fixed
Reopen Issue

Hi.
While trying to update game-music-emu to fix a sercurity issue, I have found that I cannot upload the sources via fedpkg new-sources.
That led me to bug #1404194 which in turn led me to using Kerberos, although I wasn't aware lookaside should be affected (so far I've heard just about Koji, but that's not that important ...)
But it doesn't work for me ...

[kvolny@kvolny game-music-emu]$ kinit kvolny@FEDORAPROJECT.ORG
Password for kvolny@FEDORAPROJECT.ORG:
Password expired. You must change it now.
Enter new password:
Enter it again:
kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials

there doesn't seem to be any problem with package versions (I have updates from F25 testing), I can login to FAS without any problems (as this ticket proves - I got authorized to be able to write it), and kerberos test reports all ok:

[kvolny@kvolny KrbDebug]$ ./KrbDebug
test_01_installed (main.TestKerberos) ... ok
test_02_using_collection (main.TestKerberos) ... ok
test_03_configuration (main.TestKerberos) ... ok
test_04_kinit (main.TestKerberos) ... ok

Ran 4 tests in 1.249s

OK

Just to be sure in your kinit kvolny @FEDORAPROJECT.ORG, there was no space between username and @FEDORAPROJECT.ORG right?

Another thing to try: Try changing your password in FAS, then wait for a few minutes and re-try the kinit.

I don't know how the space got there, but there was none on the commandline - it would lead to another error - Extra arguments (starting with "@FEDORAPROJECT.ORG").

Logging to FAS, I don't get password change request, but I'll try to renew it anywas ...

ok, this helped

pls, could you try to debug/fix
1) why the password was considered expired while trying kinit, while the webinterface accepted it without any problem and didn't report it as expired?
2) why updating the password when trying kinit did not work?
3) why I got "Cannot find KDC" instead of some meaningful error message about the problem with password?

Hi, I can give all those answers.

  1. Because during the initial syncs to IPA for kerberos, we had password expiration on. That has been fixed now, and I have just fixed all other accounts.
  2. Because we disabled changing password via the Kerberos interface because it doesn't sync back to FAS.
  3. Because kinit is trying to contact the kerberos admin server, which we do not have available for users.

So this is all according to goals, except the fact that your password got expired, and I've just fixed that for all other users in the system.

@kvolny so it's all working for you now?

Should we close this ticket?

yes, it works, and given the answers above I guess this can be closed, thanks

Thank you :)

@pingou changed the status to Closed
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.