I run fedpkg --release f30 build --nowait --scratch --srpm
fedpkg --release f30 build --nowait --scratch --srpm
and i get:
Kerberos authentication fails: unable to obtain a session Could not execute build: Could not login to https://koji.fedoraproject.org/kojihub
So I kinit, it works. After 1 minute it doesn't work again. I just needed to kinit 10 times in 15 minutes.
I've seen several similar issues reported recently in various places, usually closed because kinit helps. However I expected I should kinit onece a day, not once a minute. How do i debug this?
I wonder if this could be related to the DB issues we're seeing
It seems we should be recovering at the DB level, could you see if that changes anything for you?
Monitoring the kinit need. So far so good.
Took 10 minutes and again:
After 30 minutes, again.
Funny enough:
[bodhi (master %)]$ git pull && fedpkg build --nowait From ssh://pkgs.fedoraproject.org/rpms/bodhi 38b20cc..294ebf7 master -> origin/master Updating 38b20cc..294ebf7 Fast-forward bodhi.spec | 90 ++++++++++++------------------------------------------------------------------------------ 1 file changed, 12 insertions(+), 78 deletions(-) Found a gating.yaml file in the repo and it is properly configured Kerberos authentication fails: unable to obtain a session Could not execute build: Could not login to https://koji.fedoraproject.org/kojihub [bodhi (master %)]$ fedpkg build --nowait Found a gating.yaml file in the repo and it is properly configured Building bodhi-3.12.0-101.fc30 for rawhide Created task: 32026227 Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=32026227
There was no kinit in between, I've just tried again.
Can you try now?
It seems like it's a bug in f29 httpd where it gets into some kind of odd state and restarting it clears it up.
I'll report any odd behavior. However I'm not expecting any heavy fedpkg / Koji usage today.
So far so good. Thanks. Will reopen if anything goes south.
Metadata Update from @churchyard: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
I'm having the same issue now:
[pbrezina ~/workspace/packages/fedora/authselect (f29 %)]$ fedpkg -d -v scratch-build --srpm authselect-1.0.3-1.fc29.src.rpm Initiating a koji session to https://koji.fedoraproject.org/kojihub Logging into https://koji.fedoraproject.org/kojihub with Kerberos authentication. Kerberos authentication fails: unable to obtain a session Logout kojisession Could not execute scratch_build: Could not login to https://koji.fedoraproject.org/kojihub Traceback (most recent call last): File "/usr/bin/fedpkg", line 11, in <module> load_entry_point('fedpkg==1.36', 'console_scripts', 'fedpkg')() File "/usr/lib/python3.7/site-packages/fedpkg/__main__.py", line 86, in main sys.exit(client.args.command()) File "/usr/lib/python3.7/site-packages/pyrpkg/cli.py", line 2282, in scratch_build return self.build() File "/usr/lib/python3.7/site-packages/pyrpkg/cli.py", line 1611, in build task_id = self._build(sets=sets) File "/usr/lib/python3.7/site-packages/fedpkg/cli.py", line 1101, in _build return super(fedpkgClient, self)._build(sets) File "/usr/lib/python3.7/site-packages/pyrpkg/cli.py", line 1657, in _build url = self._handle_srpm_option() File "/usr/lib/python3.7/site-packages/pyrpkg/cli.py", line 1539, in _handle_srpm_option return self._upload_srpm_for_build() File "/usr/lib/python3.7/site-packages/pyrpkg/cli.py", line 1519, in _upload_srpm_for_build self.cmd.koji_upload(self.args.srpm, uniquepath, callback=callback) File "/usr/lib/python3.7/site-packages/pyrpkg/__init__.py", line 2419, in koji_upload if not self.kojisession: File "/usr/lib/python3.7/site-packages/pyrpkg/__init__.py", line 255, in kojisession self.load_kojisession() File "/usr/lib/python3.7/site-packages/pyrpkg/__init__.py", line 412, in load_kojisession self.login_koji_session(koji_config, self._kojisession) File "/usr/lib/python3.7/site-packages/pyrpkg/__init__.py", line 382, in login_koji_session raise rpkgError('Could not login to %s' % koji_config['server']) pyrpkg.errors.rpkgError: Could not login to https://koji.fedoraproject.org/kojihub
I was able to issue the scratch build twice in the morning, but does not work anymore.
@pbrezina Could you provide the output of klist -A please? It is very possible that your kerberos ticket has expired and you need to re-kinit, and there's some known bugs where the refreshed tickets don't get stored until you run a full kdestroy -A.
klist -A
kdestroy -A
kdestroy -A did not help
[pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ kinit pbrezina@FEDORAPROJECT.ORG Password for pbrezina@FEDORAPROJECT.ORG: [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ fedpkg scratch-build --srpm authselect-1.0.3-1.fc30.src.rpm Kerberos authentication fails: unable to obtain a session Could not execute scratch_build: Could not login to https://koji.fedoraproject.org/kojihub [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ klist -A Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: pbrezina@FEDORAPROJECT.ORG Valid starting Expires Service principal 02/26/2019 15:05:02 02/27/2019 15:05:00 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG renew until 03/05/2019 15:05:00 02/26/2019 15:05:06 02/27/2019 15:05:00 HTTP/proxy01.fedoraproject.org@ renew until 03/05/2019 15:05:00 02/26/2019 15:05:06 02/27/2019 15:05:00 HTTP/proxy01.fedoraproject.org@FEDORAPROJECT.ORG renew until 03/05/2019 15:05:00 [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ kdestroy -A [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ kinit pbrezina@FEDORAPROJECT.ORG Password for pbrezina@FEDORAPROJECT.ORG: [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ klist -A Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: pbrezina@FEDORAPROJECT.ORG Valid starting Expires Service principal 02/26/2019 15:05:37 02/27/2019 15:05:35 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG renew until 03/05/2019 15:05:35 [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$ fedpkg scratch-build --srpm authselect-1.0.3-1.fc30.src.rpm Kerberos authentication fails: unable to obtain a session Could not execute scratch_build: Could not login to https://koji.fedoraproject.org/kojihub [pbrezina ~/workspace/packages/fedora/authselect (f30 %)]$
The problem still persists. I cannot create a build nor scratch build in koji.
So, based on what I see from your klist -A output, you don't have rdns = false in /etc/krb5.conf. For Fedora services, you need the default (which is rdns = false) in there, under [libdefaults].
rdns = false
/etc/krb5.conf
[libdefaults]
Thank you, this seems to help. However, man krb5.conf says that default is true (*) and I've been using fedpkg for a long time with the same Kerberos settings and I never had this issue before. Did anything change?
*rdns If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If dns_canonicalize_hostname is set to false, this flag has no effect. The default value is true.
The default used to be false so something did change in that it is now true
So, the krb5 upstream default is True, indeed. But Fedora's krb5-libs package has a krb5.conf that sets it to False. So it's the Fedora default, not per se the upstream default.
True
False
Using fedpkg-1.37-1.fc30.noarch I also cannot build a scratch build now, with the same error message. I tried with the rdns change, but it prevents me to kinit with error "kinit: Password incorrect while getting initial credentials". When I change the rdns to true I can use kinit, but cannot issue fedpkg scratch-build .....
My workaround is: a) edit /etc/krb5.conf and set rdns to true b) do kinit c) edit /etc/krb5.conf and set rdns to false d) do fedpkg scratch-build ....
This is kind of suboptimal.
Err, and now I can kinit with rdns=false too (after I did kinit against company server with rdns=false). This is weird. It's with krb5-workstation-1.17-14.fc30.x86_64 if it helps.
@mcrha rdns set to true does not have any effect to the kinit. This sounds like random failures. Could you attach a log when you get an error with KRB5_TRACE=/dev/stderr kinit ...?
KRB5_TRACE=/dev/stderr kinit ...
rdns set to true does not have any effect to the kinit.
That had been my observation. I'm not questioning whether it was a correct or a wrong observation.
I just retried and I cannot reproduce the failure. I agree it could be just a random failure. Let's skip it. I'm sorry for the noise.
@puiterijk I think I can provide a band-aid :smile:
Only KRB5_TRACE is not sufficient, you need -d as well
-d
% KRB5_TRACE=/dev/stderr koji -d hello 2019-10-09 16:03:19,573 [DEBUG] koji: Opening new requests session 2019-10-09 16:03:19,573 [DEBUG] koji: Opening new requests session [17400] 1570601000.462935: ccselect module realm chose cache FILE:/tmp/krb5cc_11793 with client principal dchen@FEDORAPROJECT.ORG for server principal HTTP/proxy10.fedoraproject.org@FEDORAPROJECT.ORG [17400] 1570601000.462936: Getting credentials dchen@FEDORAPROJECT.ORG -> HTTP/proxy10.fedoraproject.org@FEDORAPROJECT.ORG using ccache FILE:/tmp/krb5cc_11793 [17400] 1570601000.462937: Retrieving dchen@FEDORAPROJECT.ORG -> HTTP/proxy10.fedoraproject.org@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_11793 with result: 0/Success [17400] 1570601000.462939: Creating authenticator for dchen@FEDORAPROJECT.ORG -> HTTP/proxy10.fedoraproject.org@FEDORAPROJECT.ORG, seqnum 1065235898, subkey aes256-cts/BCFD, session key aes256-cts/05B5 2019-10-09 16:03:21,418 [DEBUG] koji: Opening new requests session 2019-10-09 16:03:21,418 [DEBUG] koji: gssapi auth failed: requests_kerberos.exceptions.MutualAuthenticationError: Unable to authenticate <Response [200]> Traceback (most recent call last): File "/usr/bin/koji", line 336, in <module> rv = locals()[command].__call__(options, session, args) File "/usr/lib/python3.6/site-packages/koji_cli/commands.py", line 7304, in handle_moshimoshi activate_session(session, options) File "/usr/lib/python3.6/site-packages/koji_cli/lib.py", line 577, in activate_session session.krb_login(proxyuser=runas) File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2209, in krb_login if self.gssapi_login(principal, keytab, ccache, proxyuser=proxyuser): File "/usr/lib/python3.6/site-packages/koji/__init__.py", line 2363, in gssapi_login raise AuthError('unable to obtain a session') koji.AuthError: unable to obtain a session
It looks like the mutual auth does not work, not even optional mutual auth works, it needs to be disabled.
To apply my "band-aid", 1. open /usr/lib/python3.6/site-packages/koji/__init__.py (or corresponding python2 equivalent) as root
/usr/lib/python3.6/site-packages/koji/__init__.py
def gssapi_login
kwargs = {}
kwargs = { 'mutual_authentication': requests_kerberos.DISABLED } # FIXME
That's it.
Login to comment on this ticket.