#8162 koji: AuthError: unable to obtain a session
Closed: Fixed 2 months ago by kevin. Opened 2 months ago by huwang.

Hi all,

After install f30, koji doesn't work. Could some help to take a look? Thanks a lot!

Here are the error messages:
[huwang@localhost mod_cluster]$ kinit
Password for huwang@FEDORAPROJECT.ORG:
[huwang@localhost mod_cluster]$ klist
Ticket cache: KCM:1000
Default principal: huwang@FEDORAPROJECT.ORG

Valid starting Expires Service principal
09/02/2019 13:12:52 09/03/2019 13:12:44 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
renew until 09/09/2019 13:12:44
[huwang@localhost mod_cluster]$ kinit huwang@FEDORAPROJECT.ORG
Password for huwang@FEDORAPROJECT.ORG:
[huwang@localhost mod_cluster]$ klist
Ticket cache: KCM:1000
Default principal: huwang@FEDORAPROJECT.ORG

Valid starting Expires Service principal
09/02/2019 13:15:28 09/03/2019 13:15:19 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
renew until 09/09/2019 13:15:19

Here is my krb5 conf file:

To opt out of the system crypto-policies configuration of krb5, remove the

symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.

includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519

default_realm = EXAMPLE.COM

default_ccache_name = KEYRING:persistent:%{uid}

[realms]

EXAMPLE.COM = {

kdc = kerberos.example.com

admin_server = kerberos.example.com

}

[domain_realm]

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM


Can you please post the output of:

KRB5_TRACE=/dev/stdout koji list-tasks --mine

Metadata Update from @kevin:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

2 months ago

[huwang@localhost ~]$ KRB5_TRACE=/dev/stdout koji list-tasks --mine
[1524] 1567401305.657614: ccselect module realm chose cache KCM:1000 with client principal huwang@FEDORAPROJECT.ORG for server principal HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG
[1524] 1567401305.657615: Getting credentials huwang@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG using ccache KCM:1000
[1524] 1567401305.657616: Retrieving huwang@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG from KCM:1000 with result: -1765328243/Matching credential not found
[1524] 1567401305.657617: Retrieving huwang@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KCM:1000 with result: 0/Success
[1524] 1567401305.657618: Starting with TGT for client realm: huwang@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[1524] 1567401305.657619: Requesting tickets for HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[1524] 1567401305.657620: Generated subkey for TGS request: aes256-cts/A03A
[1524] 1567401305.657621: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1524] 1567401305.657623: Encoding request body and padata into FAST request
[1524] 1567401305.657624: Sending request (1004 bytes) to FEDORAPROJECT.ORG
[1524] 1567401305.657625: Resolving hostname id.fedoraproject.org
[1524] 1567401306.596202: TLS certificate name matched "id.fedoraproject.org"
[1524] 1567401306.596203: Sending HTTPS request to https 209.132.181.16:443
[1524] 1567401306.596204: Received answer (187 bytes) from https 209.132.181.16:443
[1524] 1567401306.596205: Terminating TCP connection to https 209.132.181.16:443
[1524] 1567401306.596206: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[1524] 1567401307.121761: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[1524] 1567401307.121762: Response was from master KDC
[1524] 1567401307.121763: TGS request result: -1765328347/Clock skew too great
[1524] 1567401307.121764: Requesting tickets for HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[1524] 1567401307.121765: Generated subkey for TGS request: aes256-cts/27CC
[1524] 1567401307.121766: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1524] 1567401307.121768: Encoding request body and padata into FAST request
[1524] 1567401307.121769: Sending request (1004 bytes) to FEDORAPROJECT.ORG
[1524] 1567401307.121770: Resolving hostname id.fedoraproject.org
[1524] 1567401307.121771: TLS certificate name matched "id.fedoraproject.org"
[1524] 1567401307.121772: Sending HTTPS request to https 67.203.2.67:443
[1524] 1567401307.121773: Received answer (187 bytes) from https 67.203.2.67:443
[1524] 1567401307.121774: Terminating TCP connection to https 67.203.2.67:443
[1524] 1567401307.121775: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[1524] 1567401307.121776: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[1524] 1567401307.121777: Response was from master KDC
[1524] 1567401307.121778: TGS request result: -1765328347/Clock skew too great
[1524] 1567401308.23304: ccselect module realm chose cache KCM:1000 with client principal huwang@FEDORAPROJECT.ORG for server principal HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG
[1524] 1567401308.23305: Getting credentials huwang@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG using ccache KCM:1000
[1524] 1567401308.23306: Retrieving huwang@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG from KCM:1000 with result: -1765328243/Matching credential not found
[1524] 1567401308.23307: Retrieving huwang@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KCM:1000 with result: 0/Success
[1524] 1567401308.23308: Starting with TGT for client realm: huwang@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[1524] 1567401308.23309: Requesting tickets for HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[1524] 1567401308.23310: Generated subkey for TGS request: aes256-cts/7F39
[1524] 1567401308.23311: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1524] 1567401308.23313: Encoding request body and padata into FAST request
[1524] 1567401308.23314: Sending request (1003 bytes) to FEDORAPROJECT.ORG
[1524] 1567401308.23315: Resolving hostname id.fedoraproject.org
[1524] 1567401308.23316: TLS certificate name matched "id.fedoraproject.org"
[1524] 1567401308.23317: Sending HTTPS request to https 140.211.169.196:443
[1524] 1567401308.23318: Received answer (186 bytes) from https 140.211.169.196:443
[1524] 1567401308.23319: Terminating TCP connection to https 140.211.169.196:443
[1524] 1567401308.23320: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[1524] 1567401309.35911: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[1524] 1567401309.35912: Response was from master KDC
[1524] 1567401309.35913: TGS request result: -1765328347/Clock skew too great
[1524] 1567401309.35914: Requesting tickets for HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[1524] 1567401309.35915: Generated subkey for TGS request: aes256-cts/28FA
[1524] 1567401309.35916: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts
[1524] 1567401309.35918: Encoding request body and padata into FAST request
[1524] 1567401309.35919: Sending request (1004 bytes) to FEDORAPROJECT.ORG
[1524] 1567401309.35920: Resolving hostname id.fedoraproject.org
[1524] 1567401309.35921: TLS certificate name matched "id.fedoraproject.org"
[1524] 1567401309.35922: Sending HTTPS request to https 8.43.85.73:443
[1524] 1567401310.144065: Received answer (187 bytes) from https 8.43.85.73:443
[1524] 1567401310.144066: Terminating TCP connection to https 8.43.85.73:443
[1524] 1567401310.144067: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.
[1524] 1567401310.144068: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"
[1524] 1567401310.144069: Response was from master KDC
[1524] 1567401310.144070: TGS request result: -1765328347/Clock skew too great
2019-09-02 13:15:10,262 [ERROR] koji: AuthError: unable to obtain a session

Please check the time on your client machine?

"[1524] 1567401310.144070: TGS request result: -1765328347/Clock skew too great"

makes me think the time is not right there...

My time is faster about 30mins, after update it, koji wroks.
Thank you very much!

[huwang@localhost ~]$ koji hello
jó napot, huwang!

You are using the hub at https://koji.fedoraproject.org/kojihub
Authenticated via GSSAPI

Excellent. Glad it was something easy. :)

Let us know if there's anything else we can do for you.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 months ago

Login to comment on this ticket.

Metadata