Issue #8073: Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database - fedora-infrastructure

fedora-infrastructure

#8073 Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database

Closed: Fixed 4 years ago by cverna. Opened 4 years ago by cqi.

I got this error while testing MTS on Openshift stg.

There are two lines in logs to show a fallback to STG.PHX2.FEDORAPROJECT.ORG:

[31] 1565072857.6354: TGS request result: -1765328377/Server HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG not found in Kerberos database
[31] 1565072857.6355: Local realm referral failed; trying fallback realm STG.PHX2.FEDORAPROJECT.ORG

Could you please help to have a look? Thanks.

Following is complete logs:

2019-08-06 06:27:36,923- koji - DEBUG - Opening new requests session
2019-08-06 06:27:36,923- koji - DEBUG - Opening new requests session
2019-08-06 06:27:36,925- urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): koji.stg.fedoraproject.org:443
2019-08-06 06:27:36,951- urllib3.connectionpool - DEBUG - https://koji.stg.fedoraproject.org:443 "POST /kojihub/ssllogin HTTP/1.1" 401 381
2019-08-06 06:27:36,972- requests_kerberos.kerberos_ - DEBUG - handle_401(): Handling: 401
[31] 1565072856.972704: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[31] 1565072856.972705: Getting initial credentials for message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
[31] 1565072856.972706: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac
[31] 1565072856.972708: Sending unauthenticated request
[31] 1565072856.972709: Sending request (289 bytes) to STG.FEDORAPROJECT.ORG
[31] 1565072856.972710: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[31] 1565072856.972711: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[31] 1565072856.972712: Resolving hostname id.stg.fedoraproject.org
[31] 1565072856.972713: TLS certificate name matched "id.stg.fedoraproject.org"
[31] 1565072856.972714: Sending HTTPS request to https 10.5.128.177:443
[31] 1565072857.6287: Received answer (393 bytes) from https 10.5.128.177:443
[31] 1565072857.6288: Terminating TCP connection to https 10.5.128.177:443
[31] 1565072857.6289: Response was from master KDC
[31] 1565072857.6290: Received error from KDC: -1765328359/Additional pre-authentication required
[31] 1565072857.6293: Preauthenticating using KDC method data
[31] 1565072857.6294: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[31] 1565072857.6295: Selected etype info: etype aes256-cts, salt "H6h4#c+N;#^SQ{:i", params ""
[31] 1565072857.6296: Received cookie: MIT
[31] 1565072857.6297: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[31] 1565072857.6298: AS key obtained for encrypted timestamp: aes256-cts/99E6
[31] 1565072857.6300: Encrypted timestamp (for 1565072857.2820): plain 3019A011180F32303139303830363036323733375AA10402020B04, encrypted 6B99394929AAD3CF9BB69D64771F2DC3ABBB470DF62DAE04E44E5FC73FC7053056EEC09F42062BF8D7B5B515D51A4521431CAECD410BCB
[31] 1565072857.6301: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[31] 1565072857.6302: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[31] 1565072857.6303: Sending request (381 bytes) to STG.FEDORAPROJECT.ORG
[31] 1565072857.6304: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[31] 1565072857.6305: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[31] 1565072857.6306: Resolving hostname id.stg.fedoraproject.org
[31] 1565072857.6307: TLS certificate name matched "id.stg.fedoraproject.org"
[31] 1565072857.6308: Sending HTTPS request to https 10.5.128.177:443
[31] 1565072857.6309: Received answer (901 bytes) from https 10.5.128.177:443
[31] 1565072857.6310: Terminating TCP connection to https 10.5.128.177:443
[31] 1565072857.6311: Response was from master KDC
[31] 1565072857.6312: Processing preauth types: PA-ETYPE-INFO2 (19)
[31] 1565072857.6313: Selected etype info: etype aes256-cts, salt "H6h4#c+N;#^SQ{:i", params ""
[31] 1565072857.6314: Produced preauth for next request: (empty)
[31] 1565072857.6315: AS key determined by preauth: aes256-cts/99E6
[31] 1565072857.6316: Decrypted AS reply; session key is: aes256-cts/2935
[31] 1565072857.6317: FAST negotiation: available
[31] 1565072857.6318: Initializing FILE:/tmp/krb5cc_1000330000 with default princ message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
[31] 1565072857.6319: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG in FILE:/tmp/krb5cc_1000330000
[31] 1565072857.6320: Storing config in FILE:/tmp/krb5cc_1000330000 for krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG: fast_avail: yes
[31] 1565072857.6321: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krb5_ccache_conf_data/fast_avail/krbtgt\/STG.FEDORAPROJECT.ORG\@STG.FEDORAPROJECT.ORG@X-CACHECONF: in FILE:/tmp/krb5cc_1000330000
[31] 1565072857.6322: Storing config in FILE:/tmp/krb5cc_1000330000 for krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG: pa_type: 2
[31] 1565072857.6323: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krb5_ccache_conf_data/pa_type/krbtgt\/STG.FEDORAPROJECT.ORG\@STG.FEDORAPROJECT.ORG@X-CACHECONF: in FILE:/tmp/krb5cc_1000330000
[31] 1565072857.6324: Storing config in FILE:/tmp/krb5cc_1000330000 for : refresh_time: 1565116057
[31] 1565072857.6325: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in FILE:/tmp/krb5cc_1000330000
[31] 1565072857.6329: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[31] 1565072857.6333: Getting credentials message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@ using ccache FILE:/tmp/krb5cc_1000330000
[31] 1565072857.6334: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6335: Retrying message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6336: Server has referral realm; starting with HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG
[31] 1565072857.6337: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success
[31] 1565072857.6338: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
[31] 1565072857.6339: Requesting tickets for HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG, referrals on
[31] 1565072857.6340: Generated subkey for TGS request: aes256-cts/CFB9
[31] 1565072857.6341: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[31] 1565072857.6343: Encoding request body and padata into FAST request
[31] 1565072857.6344: Sending request (1163 bytes) to STG.FEDORAPROJECT.ORG
[31] 1565072857.6345: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[31] 1565072857.6346: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[31] 1565072857.6347: Resolving hostname id.stg.fedoraproject.org
[31] 1565072857.6348: TLS certificate name matched "id.stg.fedoraproject.org"
[31] 1565072857.6349: Sending HTTPS request to https 10.5.128.177:443
[31] 1565072857.6350: Received answer (681 bytes) from https 10.5.128.177:443
[31] 1565072857.6351: Terminating TCP connection to https 10.5.128.177:443
[31] 1565072857.6352: Response was from master KDC
[31] 1565072857.6353: Decoding FAST response
[31] 1565072857.6354: TGS request result: -1765328377/Server HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG not found in Kerberos database
[31] 1565072857.6355: Local realm referral failed; trying fallback realm STG.PHX2.FEDORAPROJECT.ORG
[31] 1565072857.6356: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6357: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success
[31] 1565072857.6358: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
[31] 1565072857.6359: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6360: Requesting TGT krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG using TGT krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
[31] 1565072857.6361: Generated subkey for TGS request: aes256-cts/31A4
[31] 1565072857.6362: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[31] 1565072857.6364: Encoding request body and padata into FAST request
[31] 1565072857.6365: Sending request (1151 bytes) to STG.FEDORAPROJECT.ORG
[31] 1565072857.6366: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[31] 1565072857.6367: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[31] 1565072857.6368: Resolving hostname id.stg.fedoraproject.org
[31] 1565072857.6369: TLS certificate name matched "id.stg.fedoraproject.org"
[31] 1565072857.6370: Sending HTTPS request to https 10.5.128.177:443
[31] 1565072857.6371: Received answer (665 bytes) from https 10.5.128.177:443
[31] 1565072857.6372: Terminating TCP connection to https 10.5.128.177:443
[31] 1565072857.6373: Response was from master KDC
[31] 1565072857.6374: Decoding FAST response
[31] 1565072857.6375: TGS request result: -1765328377/Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database
2019-08-06 06:27:37,199- requests_kerberos.kerberos_ - ERROR - generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header
    channel_bindings=self.cbt_struct)
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377))
2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - ERROR - (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377))
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header
    channel_bindings=self.cbt_struct)
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377))
2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - DEBUG - handle_401(): returning <Response [401]>
2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - DEBUG - handle_response(): returning <Response [401]>
2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - DEBUG - handle_response() has seen 0 401 responses
2019-08-06 06:27:37,201- requests_kerberos.kerberos_ - DEBUG - handle_401(): Handling: 401
[31] 1565072857.6380: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[31] 1565072857.6384: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
[31] 1565072857.6388: Getting credentials message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@ using ccache FILE:/tmp/krb5cc_1000330000
[31] 1565072857.6389: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6390: Retrying message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6391: Server has referral realm; starting with HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG
[31] 1565072857.6392: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success
[31] 1565072857.6393: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
[31] 1565072857.6394: Requesting tickets for HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG, referrals on
[31] 1565072857.6395: Generated subkey for TGS request: aes256-cts/3B86
[31] 1565072857.6396: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[31] 1565072857.6398: Encoding request body and padata into FAST request
[31] 1565072857.6399: Sending request (1163 bytes) to STG.FEDORAPROJECT.ORG
[31] 1565072857.6400: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[31] 1565072857.6401: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[31] 1565072857.6402: Resolving hostname id.stg.fedoraproject.org
[31] 1565072857.6403: TLS certificate name matched "id.stg.fedoraproject.org"
[31] 1565072857.6404: Sending HTTPS request to https 10.5.128.177:443
[31] 1565072857.6405: Received answer (681 bytes) from https 10.5.128.177:443
[31] 1565072857.6406: Terminating TCP connection to https 10.5.128.177:443
[31] 1565072857.6407: Response was from master KDC
[31] 1565072857.6408: Decoding FAST response
[31] 1565072857.6409: TGS request result: -1765328377/Server HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG not found in Kerberos database
[31] 1565072857.6410: Local realm referral failed; trying fallback realm STG.PHX2.FEDORAPROJECT.ORG
[31] 1565072857.6411: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6412: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success
[31] 1565072857.6413: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
[31] 1565072857.6414: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000)
[31] 1565072857.6415: Requesting TGT krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG using TGT krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
[31] 1565072857.6416: Generated subkey for TGS request: aes256-cts/992E
[31] 1565072857.6417: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[31] 1565072857.6419: Encoding request body and padata into FAST request
[31] 1565072857.6420: Sending request (1151 bytes) to STG.FEDORAPROJECT.ORG
[31] 1565072857.6421: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[31] 1565072857.6422: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[31] 1565072857.6423: Resolving hostname id.stg.fedoraproject.org
[31] 1565072857.6424: TLS certificate name matched "id.stg.fedoraproject.org"
[31] 1565072857.6425: Sending HTTPS request to https 10.5.128.177:443
[31] 1565072857.6426: Received answer (665 bytes) from https 10.5.128.177:443
[31] 1565072857.6427: Terminating TCP connection to https 10.5.128.177:443
[31] 1565072857.6428: Response was from master KDC
[31] 1565072857.6429: Decoding FAST response
[31] 1565072857.6430: TGS request result: -1765328377/Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database
2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - ERROR - generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header
    channel_bindings=self.cbt_struct)
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377))
2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - ERROR - (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377))
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header
    channel_bindings=self.cbt_struct)
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377))
2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_401(): returning <Response [401]>
2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_response(): returning <Response [401]>
2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_response() has seen 1 401 responses
2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_response(): returning 401 <Response [401]>
2019-08-06 06:27:37,272- koji - DEBUG - Opening new requests session
2019-08-06 06:27:37,273- koji - DEBUG - gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.stg.fedoraproject.org/kojihub/ssllogin

puiterwijk commented 4 years ago

This would mean that your /etc/krb5.conf does not have rdns = false in [libdefaults], as the default Fedora config file has.
Please use the standard config file from Fedora/EL.

cqi commented 4 years ago

@puiterwijk Thanks. The /etc/krb5.conf actually has the rdns = false, it is the default config installed with krb5-libs-1.16.1-25.fc29.x86_64. Following is the complete content of krb5.conf:

# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    spake_preauth_groups = edwards25519
#    default_realm = EXAMPLE.COM

[realms]
# EXAMPLE.COM = {
#     kdc = kerberos.example.com
#     admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

Not sure anything else I should changed in this file?

Edited 4 years ago by cqi

smooge commented 4 years ago

Nothing should be changed in the file and that should work. Can you paste in the /etc/krb5.conf.d/ files in case something is resetting rdns=true

[smooge@fedora00 epel-release (epel8)]$ cat /etc/krb5.conf.d/kcm_default_ccache 
# This file should normally be installed by your distribution into a
# directory that is included from the Kerberos configuration file (/etc/krb5.conf)
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/
#
# To enable the KCM credential cache enable the KCM socket and the service:
#   systemctl enable sssd-secrets.socket sssd-kcm.socket
#   systemctl start sssd-kcm.socket
#
# To disable the KCM credential cache, comment out the following lines.

[libdefaults]
    default_ccache_name = KCM:

[smooge@fedora00 epel-release (epel8)]$ cat /etc/krb5.conf.d/stg_fedoraproject_org 
[realms]
 STG.FEDORAPROJECT.ORG = {
        kdc = https://id.stg.fedoraproject.org/KdcProxy
 }
[domain_realm]
 .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
 stg.fedoraproject.org = STG.FEDORAPROJECT.ORG

cqi commented 4 years ago

@smooge There is not special in /etc/krb5.conf.d. I deploy and test MTS on Openshift stage step by step, at current stage, I even haven't installed fedora-packager yet.

Only one file exists in /etc/krb5.conf.d

sh-4.4$ cat /etc/krb5.conf.d/crypto-policies
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
sh-4.4$

cverna commented 4 years ago

@cqi have a look at this https://pagure.io/fedora-infrastructure/issue/7870#comment-588475

For kerberos to work in OpenShift you need to use a specific krb5.conf

smooge commented 4 years ago

@cqi if you don't have the /etc/krb5.conf.d/stg_fedoraproject_org and the other items cverna listed.. I am amazed it worked even to that point. I think you will need to go through those first

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: authentication, koji

4 years ago

cqi commented 4 years ago

Thank all of you. The krb5.conf template works for me.

cverna commented 4 years ago

Cool thanks for letting us know.

Metadata Update from @cverna:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

Waiting on Assignee

fedora-infrastructure

Source Code

#8073 Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database Closed: Fixed 4 years ago by cverna. Opened 4 years ago by cqi.

Metadata

authentication koji

#8073 Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database

Closed: Fixed 4 years ago by cverna. Opened 4 years ago by cqi.