I got this error while testing MTS on Openshift stg.
There are two lines in logs to show a fallback to STG.PHX2.FEDORAPROJECT.ORG:
STG.PHX2.FEDORAPROJECT.ORG
[31] 1565072857.6354: TGS request result: -1765328377/Server HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG not found in Kerberos database [31] 1565072857.6355: Local realm referral failed; trying fallback realm STG.PHX2.FEDORAPROJECT.ORG
Could you please help to have a look? Thanks.
Following is complete logs:
2019-08-06 06:27:36,923- koji - DEBUG - Opening new requests session 2019-08-06 06:27:36,923- koji - DEBUG - Opening new requests session 2019-08-06 06:27:36,925- urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): koji.stg.fedoraproject.org:443 2019-08-06 06:27:36,951- urllib3.connectionpool - DEBUG - https://koji.stg.fedoraproject.org:443 "POST /kojihub/ssllogin HTTP/1.1" 401 381 2019-08-06 06:27:36,972- requests_kerberos.kerberos_ - DEBUG - handle_401(): Handling: 401 [31] 1565072856.972704: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success [31] 1565072856.972705: Getting initial credentials for message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG [31] 1565072856.972706: Looked up etypes in keytab: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac [31] 1565072856.972708: Sending unauthenticated request [31] 1565072856.972709: Sending request (289 bytes) to STG.FEDORAPROJECT.ORG [31] 1565072856.972710: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG. [31] 1565072856.972711: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/" [31] 1565072856.972712: Resolving hostname id.stg.fedoraproject.org [31] 1565072856.972713: TLS certificate name matched "id.stg.fedoraproject.org" [31] 1565072856.972714: Sending HTTPS request to https 10.5.128.177:443 [31] 1565072857.6287: Received answer (393 bytes) from https 10.5.128.177:443 [31] 1565072857.6288: Terminating TCP connection to https 10.5.128.177:443 [31] 1565072857.6289: Response was from master KDC [31] 1565072857.6290: Received error from KDC: -1765328359/Additional pre-authentication required [31] 1565072857.6293: Preauthenticating using KDC method data [31] 1565072857.6294: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133) [31] 1565072857.6295: Selected etype info: etype aes256-cts, salt "H6h4#c+N;#^SQ{:i", params "" [31] 1565072857.6296: Received cookie: MIT [31] 1565072857.6297: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Success [31] 1565072857.6298: AS key obtained for encrypted timestamp: aes256-cts/99E6 [31] 1565072857.6300: Encrypted timestamp (for 1565072857.2820): plain 3019A011180F32303139303830363036323733375AA10402020B04, encrypted 6B99394929AAD3CF9BB69D64771F2DC3ABBB470DF62DAE04E44E5FC73FC7053056EEC09F42062BF8D7B5B515D51A4521431CAECD410BCB [31] 1565072857.6301: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [31] 1565072857.6302: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2) [31] 1565072857.6303: Sending request (381 bytes) to STG.FEDORAPROJECT.ORG [31] 1565072857.6304: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG. [31] 1565072857.6305: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/" [31] 1565072857.6306: Resolving hostname id.stg.fedoraproject.org [31] 1565072857.6307: TLS certificate name matched "id.stg.fedoraproject.org" [31] 1565072857.6308: Sending HTTPS request to https 10.5.128.177:443 [31] 1565072857.6309: Received answer (901 bytes) from https 10.5.128.177:443 [31] 1565072857.6310: Terminating TCP connection to https 10.5.128.177:443 [31] 1565072857.6311: Response was from master KDC [31] 1565072857.6312: Processing preauth types: PA-ETYPE-INFO2 (19) [31] 1565072857.6313: Selected etype info: etype aes256-cts, salt "H6h4#c+N;#^SQ{:i", params "" [31] 1565072857.6314: Produced preauth for next request: (empty) [31] 1565072857.6315: AS key determined by preauth: aes256-cts/99E6 [31] 1565072857.6316: Decrypted AS reply; session key is: aes256-cts/2935 [31] 1565072857.6317: FAST negotiation: available [31] 1565072857.6318: Initializing FILE:/tmp/krb5cc_1000330000 with default princ message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG [31] 1565072857.6319: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG in FILE:/tmp/krb5cc_1000330000 [31] 1565072857.6320: Storing config in FILE:/tmp/krb5cc_1000330000 for krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG: fast_avail: yes [31] 1565072857.6321: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krb5_ccache_conf_data/fast_avail/krbtgt\/STG.FEDORAPROJECT.ORG\@STG.FEDORAPROJECT.ORG@X-CACHECONF: in FILE:/tmp/krb5cc_1000330000 [31] 1565072857.6322: Storing config in FILE:/tmp/krb5cc_1000330000 for krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG: pa_type: 2 [31] 1565072857.6323: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krb5_ccache_conf_data/pa_type/krbtgt\/STG.FEDORAPROJECT.ORG\@STG.FEDORAPROJECT.ORG@X-CACHECONF: in FILE:/tmp/krb5cc_1000330000 [31] 1565072857.6324: Storing config in FILE:/tmp/krb5cc_1000330000 for : refresh_time: 1565116057 [31] 1565072857.6325: Storing message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krb5_ccache_conf_data/refresh_time@X-CACHECONF: in FILE:/tmp/krb5cc_1000330000 [31] 1565072857.6329: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success [31] 1565072857.6333: Getting credentials message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@ using ccache FILE:/tmp/krb5cc_1000330000 [31] 1565072857.6334: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6335: Retrying message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6336: Server has referral realm; starting with HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG [31] 1565072857.6337: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success [31] 1565072857.6338: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG [31] 1565072857.6339: Requesting tickets for HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG, referrals on [31] 1565072857.6340: Generated subkey for TGS request: aes256-cts/CFB9 [31] 1565072857.6341: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [31] 1565072857.6343: Encoding request body and padata into FAST request [31] 1565072857.6344: Sending request (1163 bytes) to STG.FEDORAPROJECT.ORG [31] 1565072857.6345: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG. [31] 1565072857.6346: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/" [31] 1565072857.6347: Resolving hostname id.stg.fedoraproject.org [31] 1565072857.6348: TLS certificate name matched "id.stg.fedoraproject.org" [31] 1565072857.6349: Sending HTTPS request to https 10.5.128.177:443 [31] 1565072857.6350: Received answer (681 bytes) from https 10.5.128.177:443 [31] 1565072857.6351: Terminating TCP connection to https 10.5.128.177:443 [31] 1565072857.6352: Response was from master KDC [31] 1565072857.6353: Decoding FAST response [31] 1565072857.6354: TGS request result: -1765328377/Server HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG not found in Kerberos database [31] 1565072857.6355: Local realm referral failed; trying fallback realm STG.PHX2.FEDORAPROJECT.ORG [31] 1565072857.6356: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6357: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success [31] 1565072857.6358: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG [31] 1565072857.6359: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6360: Requesting TGT krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG using TGT krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG [31] 1565072857.6361: Generated subkey for TGS request: aes256-cts/31A4 [31] 1565072857.6362: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [31] 1565072857.6364: Encoding request body and padata into FAST request [31] 1565072857.6365: Sending request (1151 bytes) to STG.FEDORAPROJECT.ORG [31] 1565072857.6366: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG. [31] 1565072857.6367: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/" [31] 1565072857.6368: Resolving hostname id.stg.fedoraproject.org [31] 1565072857.6369: TLS certificate name matched "id.stg.fedoraproject.org" [31] 1565072857.6370: Sending HTTPS request to https 10.5.128.177:443 [31] 1565072857.6371: Received answer (665 bytes) from https 10.5.128.177:443 [31] 1565072857.6372: Terminating TCP connection to https 10.5.128.177:443 [31] 1565072857.6373: Response was from master KDC [31] 1565072857.6374: Decoding FAST response [31] 1565072857.6375: TGS request result: -1765328377/Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database 2019-08-06 06:27:37,199- requests_kerberos.kerberos_ - ERROR - generate_request_header(): authGSSClientStep() failed: Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header channel_bindings=self.cbt_struct) kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377)) 2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - ERROR - (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377)) Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header channel_bindings=self.cbt_struct) kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377)) 2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - DEBUG - handle_401(): returning <Response [401]> 2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - DEBUG - handle_response(): returning <Response [401]> 2019-08-06 06:27:37,200- requests_kerberos.kerberos_ - DEBUG - handle_response() has seen 0 401 responses 2019-08-06 06:27:37,201- requests_kerberos.kerberos_ - DEBUG - handle_401(): Handling: 401 [31] 1565072857.6380: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success [31] 1565072857.6384: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG from FILE:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success [31] 1565072857.6388: Getting credentials message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@ using ccache FILE:/tmp/krb5cc_1000330000 [31] 1565072857.6389: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6390: Retrying message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6391: Server has referral realm; starting with HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG [31] 1565072857.6392: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success [31] 1565072857.6393: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG [31] 1565072857.6394: Requesting tickets for HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG, referrals on [31] 1565072857.6395: Generated subkey for TGS request: aes256-cts/3B86 [31] 1565072857.6396: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [31] 1565072857.6398: Encoding request body and padata into FAST request [31] 1565072857.6399: Sending request (1163 bytes) to STG.FEDORAPROJECT.ORG [31] 1565072857.6400: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG. [31] 1565072857.6401: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/" [31] 1565072857.6402: Resolving hostname id.stg.fedoraproject.org [31] 1565072857.6403: TLS certificate name matched "id.stg.fedoraproject.org" [31] 1565072857.6404: Sending HTTPS request to https 10.5.128.177:443 [31] 1565072857.6405: Received answer (681 bytes) from https 10.5.128.177:443 [31] 1565072857.6406: Terminating TCP connection to https 10.5.128.177:443 [31] 1565072857.6407: Response was from master KDC [31] 1565072857.6408: Decoding FAST response [31] 1565072857.6409: TGS request result: -1765328377/Server HTTP/proxy01.stg.phx2.fedoraproject.org@STG.FEDORAPROJECT.ORG not found in Kerberos database [31] 1565072857.6410: Local realm referral failed; trying fallback realm STG.PHX2.FEDORAPROJECT.ORG [31] 1565072857.6411: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6412: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: 0/Success [31] 1565072857.6413: Starting with TGT for client realm: message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG [31] 1565072857.6414: Retrieving message-tagging-service/message-tagging-service.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG -> krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.PHX2.FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000330000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000330000) [31] 1565072857.6415: Requesting TGT krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG using TGT krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG [31] 1565072857.6416: Generated subkey for TGS request: aes256-cts/992E [31] 1565072857.6417: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts [31] 1565072857.6419: Encoding request body and padata into FAST request [31] 1565072857.6420: Sending request (1151 bytes) to STG.FEDORAPROJECT.ORG [31] 1565072857.6421: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG. [31] 1565072857.6422: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/" [31] 1565072857.6423: Resolving hostname id.stg.fedoraproject.org [31] 1565072857.6424: TLS certificate name matched "id.stg.fedoraproject.org" [31] 1565072857.6425: Sending HTTPS request to https 10.5.128.177:443 [31] 1565072857.6426: Received answer (665 bytes) from https 10.5.128.177:443 [31] 1565072857.6427: Terminating TCP connection to https 10.5.128.177:443 [31] 1565072857.6428: Response was from master KDC [31] 1565072857.6429: Decoding FAST response [31] 1565072857.6430: TGS request result: -1765328377/Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database 2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - ERROR - generate_request_header(): authGSSClientStep() failed: Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header channel_bindings=self.cbt_struct) kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377)) 2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - ERROR - (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377)) Traceback (most recent call last): File "/usr/lib/python3.7/site-packages/requests_kerberos/kerberos_.py", line 227, in generate_request_header channel_bindings=self.cbt_struct) kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server krbtgt/STG.PHX2.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG not found in Kerberos database', -1765328377)) 2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_401(): returning <Response [401]> 2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_response(): returning <Response [401]> 2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_response() has seen 1 401 responses 2019-08-06 06:27:37,271- requests_kerberos.kerberos_ - DEBUG - handle_response(): returning 401 <Response [401]> 2019-08-06 06:27:37,272- koji - DEBUG - Opening new requests session 2019-08-06 06:27:37,273- koji - DEBUG - gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.stg.fedoraproject.org/kojihub/ssllogin
This would mean that your /etc/krb5.conf does not have rdns = false in [libdefaults], as the default Fedora config file has. Please use the standard config file from Fedora/EL.
/etc/krb5.conf
rdns = false
[libdefaults]
@puiterwijk Thanks. The /etc/krb5.conf actually has the rdns = false, it is the default config installed with krb5-libs-1.16.1-25.fc29.x86_64. Following is the complete content of krb5.conf:
krb5-libs-1.16.1-25.fc29.x86_64
# To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 # default_realm = EXAMPLE.COM [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM
Not sure anything else I should changed in this file?
Nothing should be changed in the file and that should work. Can you paste in the /etc/krb5.conf.d/ files in case something is resetting rdns=true
[smooge@fedora00 epel-release (epel8)]$ cat /etc/krb5.conf.d/kcm_default_ccache # This file should normally be installed by your distribution into a # directory that is included from the Kerberos configuration file (/etc/krb5.conf) # On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/ # # To enable the KCM credential cache enable the KCM socket and the service: # systemctl enable sssd-secrets.socket sssd-kcm.socket # systemctl start sssd-kcm.socket # # To disable the KCM credential cache, comment out the following lines. [libdefaults] default_ccache_name = KCM:
[smooge@fedora00 epel-release (epel8)]$ cat /etc/krb5.conf.d/stg_fedoraproject_org [realms] STG.FEDORAPROJECT.ORG = { kdc = https://id.stg.fedoraproject.org/KdcProxy } [domain_realm] .stg.fedoraproject.org = STG.FEDORAPROJECT.ORG stg.fedoraproject.org = STG.FEDORAPROJECT.ORG
@smooge There is not special in /etc/krb5.conf.d. I deploy and test MTS on Openshift stage step by step, at current stage, I even haven't installed fedora-packager yet.
Only one file exists in /etc/krb5.conf.d
sh-4.4$ cat /etc/krb5.conf.d/crypto-policies [libdefaults] permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac sh-4.4$
@cqi have a look at this https://pagure.io/fedora-infrastructure/issue/7870#comment-588475
For kerberos to work in OpenShift you need to use a specific krb5.conf
@cqi if you don't have the /etc/krb5.conf.d/stg_fedoraproject_org and the other items cverna listed.. I am amazed it worked even to that point. I think you will need to go through those first
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: authentication, koji
Thank all of you. The krb5.conf template works for me.
Cool thanks for letting us know.
Metadata Update from @cverna: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.