Hello, I can't obtain a koji session. I logged with Kerberos but can't execute koji hello I logged with Kerberos
koji hello
Ticket cache: KEYRING:persistent:1000:krb_ccache_BXEryGQ Default principal: sturivny@FEDORAPROJECT.ORG Valid starting Expires Service principal 02/16/2021 14:59:47 02/17/2021 14:59:38 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
I et an error when trying to execute koji hello
❯ KRB5_TRACE=/dev/stderr koji -d hello 2021-02-16 15:00:00,583 [DEBUG] koji: Opening new requests session 2021-02-16 15:00:00,584 [DEBUG] koji: Opening new requests session [71426] 1613484001.404365: ccselect module realm chose cache KEYRING:persistent:1000:krb_ccache_BXEryGQ with client principal sturivny@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG [71426] 1613484001.404366: Getting credentials sturivny@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache KEYRING:persistent:1000:krb_ccache_BXEryGQ [71426] 1613484001.404367: Retrieving sturivny@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from KEYRING:persistent:1000:krb_ccache_BXEryGQ with result: -1765328243/Matching credential not found [71426] 1613484001.404368: Retrieving sturivny@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KEYRING:persistent:1000:krb_ccache_BXEryGQ with result: 0/Success [71426] 1613484001.404369: Starting with TGT for client realm: sturivny@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG [71426] 1613484001.404370: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on [71426] 1613484001.404371: Generated subkey for TGS request: aes256-cts/F224 [71426] 1613484001.404372: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts [71426] 1613484001.404374: Encoding request body and padata into FAST request [71426] 1613484001.404375: Sending request (993 bytes) to FEDORAPROJECT.ORG [71426] 1613484001.404376: Resolving hostname id.fedoraproject.org [71426] 1613484001.404377: TLS certificate name matched "id.fedoraproject.org" [71426] 1613484001.404378: Sending HTTPS request to https 67.219.144.68:443 [71426] 1613484002.303877: Received answer (483 bytes) from https 67.219.144.68:443 [71426] 1613484002.303878: Terminating TCP connection to https 67.219.144.68:443 [71426] 1613484002.303879: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [71426] 1613484002.303880: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [71426] 1613484002.303881: Response was from master KDC [71426] 1613484002.303882: Decoding FAST response [71426] 1613484002.303883: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database [71426] 1613484002.303884: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off [71426] 1613484002.303885: Generated subkey for TGS request: aes256-cts/029B [71426] 1613484002.303886: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts [71426] 1613484002.303888: Encoding request body and padata into FAST request [71426] 1613484002.303889: Sending request (995 bytes) to FEDORAPROJECT.ORG [71426] 1613484002.303890: Resolving hostname id.fedoraproject.org [71426] 1613484002.303891: TLS certificate name matched "id.fedoraproject.org" [71426] 1613484002.303892: Sending HTTPS request to https 18.133.140.134:443 [71426] 1613484003.92937: Received answer (484 bytes) from https 18.133.140.134:443 [71426] 1613484003.92938: Terminating TCP connection to https 18.133.140.134:443 [71426] 1613484003.92939: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [71426] 1613484003.92940: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [71426] 1613484003.92941: Response was from master KDC [71426] 1613484003.92942: Decoding FAST response [71426] 1613484003.92943: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database [71426] 1613484003.92949: ccselect module realm chose cache KEYRING:persistent:1000:krb_ccache_BXEryGQ with client principal sturivny@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG [71426] 1613484003.92950: Getting credentials sturivny@FEDORAPROJECT.ORG -> HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG using ccache KEYRING:persistent:1000:krb_ccache_BXEryGQ [71426] 1613484003.92951: Retrieving sturivny@FEDORAPROJECT.ORG -> HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG from KEYRING:persistent:1000:krb_ccache_BXEryGQ with result: -1765328243/Matching credential not found [71426] 1613484003.92952: Retrieving sturivny@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from KEYRING:persistent:1000:krb_ccache_BXEryGQ with result: 0/Success [71426] 1613484003.92953: Starting with TGT for client realm: sturivny@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG [71426] 1613484003.92954: Requesting tickets for HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG, referrals on [71426] 1613484003.92955: Generated subkey for TGS request: aes256-cts/E9B2 [71426] 1613484003.92956: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts [71426] 1613484003.92958: Encoding request body and padata into FAST request [71426] 1613484003.92959: Sending request (995 bytes) to FEDORAPROJECT.ORG [71426] 1613484003.92960: Resolving hostname id.fedoraproject.org [71426] 1613484004.116688: TLS certificate name matched "id.fedoraproject.org" [71426] 1613484004.116689: Sending HTTPS request to https 8.43.85.67:443 [71426] 1613484004.116690: Received answer (484 bytes) from https 8.43.85.67:443 [71426] 1613484004.116691: Terminating TCP connection to https 8.43.85.67:443 [71426] 1613484004.116692: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [71426] 1613484004.116693: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [71426] 1613484004.116694: Response was from master KDC [71426] 1613484004.116695: Decoding FAST response [71426] 1613484004.116696: TGS request result: -1765328377/Server HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database [71426] 1613484004.116697: Requesting tickets for HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG, referrals off [71426] 1613484004.116698: Generated subkey for TGS request: aes256-cts/2B6E [71426] 1613484004.116699: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts [71426] 1613484004.116701: Encoding request body and padata into FAST request [71426] 1613484004.116702: Sending request (995 bytes) to FEDORAPROJECT.ORG [71426] 1613484004.116703: Resolving hostname id.fedoraproject.org [71426] 1613484004.116704: TLS certificate name matched "id.fedoraproject.org" [71426] 1613484004.116705: Sending HTTPS request to https 18.185.136.17:443 [71426] 1613484005.139685: Received answer (484 bytes) from https 18.185.136.17:443 [71426] 1613484005.139686: Terminating TCP connection to https 18.185.136.17:443 [71426] 1613484005.139687: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [71426] 1613484005.139688: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [71426] 1613484005.139689: Response was from master KDC [71426] 1613484005.139690: Decoding FAST response [71426] 1613484005.139691: TGS request result: -1765328377/Server HTTP/proxy-iad02.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database 2021-02-16 15:00:05,173 [DEBUG] koji: Opening new requests session 2021-02-16 15:00:05,174 [DEBUG] koji: gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin Traceback (most recent call last): File "/usr/bin/koji", line 337, in <module> rv = locals()[command].__call__(options, session, args) File "/usr/lib/python3.7/site-packages/koji_cli/commands.py", line 7399, in handle_moshimoshi activate_session(session, options) File "/usr/lib/python3.7/site-packages/koji_cli/lib.py", line 685, in activate_session session.gssapi_login(proxyuser=runas) File "/usr/lib/python3.7/site-packages/koji/__init__.py", line 2522, in gssapi_login raise AuthError('unable to obtain a session') koji.AuthError: unable to obtain a session
I updated /etc/koji.conf https://paste.centos.org/view/e5658f97 and /etc/koji.conf.d/fedora.conf https://paste.centos.org/view/fe673f34 but it didn't help
/etc/koji.conf
/etc/koji.conf.d/fedora.conf
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: koji, low-gain, low-trouble, ops
So, do you have 'rdns = true' in /etc/krb5.conf or any of the /etc/krb5.conf.d/* files?
Try changing that to 'rdns = false' ?
Metadata Update from @kevin: - Issue untagged with: koji, low-gain, low-trouble, ops - Issue priority set to: Needs Review (was: Waiting on Assignee)
@kevin Yep, it works, thank you!
successfully connected to hub zdravstvuite, sturivny!
Changed in the /etc/krb5.conf
/etc/krb5.conf
Metadata Update from @sturivny: - Issue priority set to: None (was: Needs Review)
Let's close then :)
Thanks for getting back to us that it is fixed
Metadata Update from @pingou: - Issue priority set to: Waiting on Assignee - Issue tagged with: koji, low-gain, low-trouble, ops
Metadata Update from @pingou: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
@kevin @pilou Thank you for helping :)
Issue status updated to: Open (was: Closed)
Issue status updated to: Closed (was: Open) Issue close_status updated to: Fixed
Log in to comment on this ticket.