#9607 Cannot kinit against Fedora Project servers
Closed: Fixed 3 years ago by abbra. Opened 3 years ago by abbra.

Looks like Kerberos servers do not respond in Fedora realm. KDC proxies respond with 503 errors:

$ KRB5_TRACE=/dev/stderr kinit -r 7d abbra@FEDORAPROJECT.ORG
[2961637] 1611748690.357455: Getting initial credentials for abbra@FEDORAPROJECT.ORG
[2961637] 1611748690.357457: Sending unauthenticated request
[2961637] 1611748690.357458: Sending request (208 bytes) to FEDORAPROJECT.ORG
[2961637] 1611748690.357459: Resolving hostname id.fedoraproject.org
[2961637] 1611748690.357460: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748690.357461: Sending HTTPS request to https 18.159.254.57:443
[2961637] 1611748700.575950: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748700.575951: Sending HTTPS request to https 18.130.159.183:443
[2961637] 1611748710.637516: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748710.637517: Sending HTTPS request to https 85.236.55.6:443
[2961637] 1611748720.666523: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748720.666524: Sending HTTPS request to https 185.141.165.254:443
[2961637] 1611748730.956936: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748730.956937: Sending HTTPS request to https 8.43.85.67:443
[2961637] 1611748735.512711: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:58:10 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=44891306\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy36.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVUg@mUtsB70Io8SlBtgAAANI\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748735.512712: Terminating TCP connection to https 18.159.254.57:443
[2961637] 1611748741.080825: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748741.080826: Sending HTTPS request to https 38.145.60.21:443
[2961637] 1611748746.855396: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:58:20 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=46184716\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy35.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVXEU6NUQNFfshuau08AAAAAY\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748746.855397: Terminating TCP connection to https 18.130.159.183:443
[2961637] 1611748751.381918: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748751.381919: Sending HTTPS request to https 140.211.169.206:443
[2961637] 1611748751.381920: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:58:30 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=40694386\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy02.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVZlUlUOVq76jP7LIfxAAAABQ\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748751.381921: Terminating TCP connection to https 85.236.55.6:443
[2961637] 1611748761.471897: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748761.471898: Sending HTTPS request to https 152.19.134.198:443
[2961637] 1611748765.889250: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:58:40 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=45142193\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy05.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVcDEfpFGYbi0kJwhJnAAACAc\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748765.889251: Terminating TCP connection to https 185.141.165.254:443
[2961637] 1611748772.580318: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748772.580319: Sending HTTPS request to https 38.145.60.20:443
[2961637] 1611748772.580320: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748772.580321: Sending HTTPS request to https 209.132.190.2:443
[2961637] 1611748782.806331: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748782.806332: Sending HTTPS request to https 152.19.134.142:443
[2961637] 1611748783.429239: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:58:51 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=52179018\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy14.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVe--THHOBmVW9RxWTDwAAAUg\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748783.429240: Terminating TCP connection to https 8.43.85.67:443
[2961637] 1611748792.923647: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748792.923648: Sending HTTPS request to https 67.219.144.68:443
[2961637] 1611748794.905796: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:59:01 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=53516197\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy10.iad2.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVhT2NcHz9@IquXl0CVgAAAsk\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748794.905797: Terminating TCP connection to https 38.145.60.21:443
[2961637] 1611748803.775654: Terminating TCP connection to https 2a05:d014:10:7803:f774:4d7c:e277:a457:443
[2961637] 1611748803.775655: TLS certificate name matched "id.fedoraproject.org"
[2961637] 1611748803.775656: Sending HTTPS request to https 18.185.136.17:443
[2961637] 1611748804.371615: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:59:11 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=52590768\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy09.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVjx2lvPD14@TgGWEsaQAAAgA\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748804.371616: Terminating TCP connection to https 140.211.169.206:443
[2961637] 1611748813.832902: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[2961637] 1611748814.834550: Terminating TCP connection to https 2a05:d01c:c6a:cc03:263a:8409:b961:7e02:443
[2961637] 1611748815.834861: Terminating TCP connection to https 2610:28:3090:3001:dead:beef:cafe:fed3:443
[2961637] 1611748816.836629: Terminating TCP connection to https 2620:52:3:1:dead:beef:cafe:fed7:443
[2961637] 1611748817.836781: Terminating TCP connection to https 2604:1580:fe00:0:dead:beef:cafe:fed1:443
[2961637] 1611748818.836408: Terminating TCP connection to https 2620:52:3:1:dead:beef:cafe:fed6:443
[2961637] 1611748819.838290: Terminating TCP connection to https 2605:bc80:3010:600:dead:beef:cafe:fed9:443
[2961637] 1611748825.101799: HTTPS error: HTTP/1.1 503 Service Unavailable\x0d\x0aDate: Wed, 27 Jan 2021 11:59:21 GMT\x0d\x0aServer: Apache\x0d\x0aStrict-Transport-Security: max-age=31536000; preload\x0d\x0aX-Frame-Options: SAMEORIGIN\x0d\x0aX-Xss-Protection: 1; mode=block\x0d\x0aX-Content-Type-Options: nosniff\x0d\x0aReferrer-Policy: same-origin\x0d\x0acontent-length: 58\x0d\x0aapptime: D=63340624\x0d\x0ax-fedora-appserver: ipa01.iad2.fedoraproject.org\x0d\x0acontent-type: text/plain; charset=utf-8\x0d\x0aX-Fedora-ProxyServer: proxy12.fedoraproject.org\x0d\x0aX-Fedora-RequestID: YBFVmcd4SqULEQKoN4aTtgAAAE4\x0d\x0aConnection: close\x0d\x0a\x0d\x0aRemote unavailable (FEDORAPROJECT.ORG AS-REQ (208 bytes)).
[2961637] 1611748825.101800: Terminating TCP connection to https 152.19.134.198:443
[2961637] 1611748834.848055: Terminating TCP connection to https 209.132.190.2:443
[2961637] 1611748834.848056: Terminating TCP connection to https 38.145.60.20:443
[2961637] 1611748834.848057: Terminating TCP connection to https 152.19.134.142:443
[2961637] 1611748834.848058: Terminating TCP connection to https 67.219.144.68:443
[2961637] 1611748834.848059: Terminating TCP connection to https 18.185.136.17:443
kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while getting initial credentials

Metadata Update from @abbra:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

fyi, this was caused by an update on the ipa server to fix a cve so shouldn't be a recurring issue

Login to comment on this ticket.

Metadata