#8525 Can't kinit for stg.fedoraproject.org
Closed: Fixed 2 years ago by smooge. Opened 2 years ago by zbyszek.

I'd like to test the multi-build gating but can't authenticate.

$ kinit zbyszek@STG.FEDORAPROJECT.ORG
kinit: Cannot contact any KDC for realm 'STG.FEDORAPROJECT.ORG' while getting initial credentials

(I get identical output on a few different machines with different Fedora versions: F29, F31, rawhide.)


Metadata Update from @codeblock:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @codeblock:
- Issue assigned to codeblock

2 years ago

@codeblock can you add what needed to be done ? so that we know what to do if that happen again :smile:

Thanks

$ kinit zbyszek@STG.FEDORAPROJECT.ORG
kinit: Client 'zbyszek@STG.FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

Metadata Update from @zbyszek:
- Issue status updated to: Open (was: Closed)

2 years ago

$ kinit zbyszek@STG.FEDORAPROJECT.ORG
kinit: Client 'zbyszek@STG.FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

This one is listed in the FAQ at: https://fedoraproject.org/wiki/Infrastructure/Kerberos#Questions_and_Answers

Login to FAS and then retry. Your information needs to be synced from FAS to the IPA server. Logging into FAS does so.

I did that. No change.

$ KRB5_TRACE=/dev/stdout kinit zbyszek@STG.FEDORAPROJECT.ORG
[133418] 1578997810.412008: Resolving unique ccache of type KCM
[133418] 1578997810.412009: Getting initial credentials for zbyszek@STG.FEDORAPROJECT.ORG
[133418] 1578997810.412011: Sending unauthenticated request
[133418] 1578997810.412012: Sending request (221 bytes) to STG.FEDORAPROJECT.ORG
[133418] 1578997810.412013: Resolving hostname id.stg.fedoraproject.org
[133418] 1578997811.121521: TLS certificate name matched "id.stg.fedoraproject.org"
[133418] 1578997811.121522: Sending HTTPS request to https 209.132.181.5:443
[133418] 1578997811.121523: Received answer (202 bytes) from https 209.132.181.5:443
[133418] 1578997811.121524: Terminating TCP connection to https 209.132.181.5:443
[133418] 1578997811.121525: Sending DNS URI query for _kerberos.STG.FEDORAPROJECT.ORG.
[133418] 1578997811.121526: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.stg.fedoraproject.org/KdcProxy/"
[133418] 1578997811.121527: Response was from master KDC
[133418] 1578997811.121528: Received error from KDC: -1765328378/Client not found in Kerberos database
kinit: Client 'zbyszek@STG.FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

I need to ask what you are needing stg.fedoraproject.org. I am going to be deleting and rebuilding pkgs.stg this week. It will then be resync'd the production one. However, I do not want to break any work in progress so need to know if it is part of what you are using this for?

I'd like to experiment with side-tags. I don't have any work in progress.

OK thanks.. I will plan accordingly on pkgs then.

@zbyszek NOTE: side tags are available in production. Or do you intend to do things you don't want to do in production?

For the kinit issue, please login to https://admin.stg.fedoraproject.org/accounts and then change your password (via the my account/change password, NOT the 'forgot password' link).

That should sync your password to ipa in staging. We currentlly have no way to sync those passwords over from prod, and they are set on password change.

Metadata Update from @smooge:
- Issue priority set to: Waiting on Reporter (was: Needs Review)

2 years ago

Did the password change fix it?

Please reopen if not fixed.

Metadata Update from @smooge:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata