koji

Clone

#2534 Failure while trying to push a koji build
Closed: Fixed 3 years ago by esindril. Opened 3 years ago by esindril.

Closed: Fixed
Reopen Issue

I get the following failure while trying to push a koji build:

koji build --scratch epel8 /tmp/richacl-1.12-9.fc32.src.rpm 
2020-10-09 13:40:43,365 [ERROR] koji: Fault: <Fault 1: "<class 'AttributeError'>: krbLogin">

I have a valid krb5 ticket for the realm:

date
Fri Oct  9 13:41:19 CEST 2020

klist 
Ticket cache: FILE:/tmp/krb5cc_58602
Default principal: esindril@FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
10/09/2020 13:38:11  10/10/2020 13:38:11  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
    renew until 10/14/2020 13:37:38
10/09/2020 13:38:22  10/10/2020 13:38:11  host/koji.fedoraproject.org@FEDORAPROJECT.ORG
    renew until 10/14/2020 13:37:38

And executing the same command with more debug yields:

KRB5_TRACE=/dev/stdout koji build --scratch epel8 /tmp/richacl-1.12-9.fc32.src.rpm 
[5067] 1602243520.377235: ccselect module realm chose cache FILE:/tmp/krb5cc_58602 with client principal esindril@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG
[5067] 1602243520.377236: Getting credentials esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache FILE:/tmp/krb5cc_58602
[5067] 1602243520.377237: Retrieving esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_58602)
[5067] 1602243520.377238: Retrieving esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: 0/Success
[5067] 1602243520.377239: Starting with TGT for client realm: esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[5067] 1602243520.377240: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[5067] 1602243520.377241: Generated subkey for TGS request: rc4-hmac/C58B
[5067] 1602243520.377242: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[5067] 1602243520.377244: Encoding request body and padata into FAST request
[5067] 1602243520.377245: Sending request (1007 bytes) to FEDORAPROJECT.ORG
[5067] 1602243520.377246: Resolving hostname id.fedoraproject.org
[5067] 1602243520.377247: TLS certificate name matched "id.fedoraproject.org"
[5067] 1602243520.377248: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[5067] 1602243520.377249: Received answer (479 bytes) from https 2001:4178:2:1269::fed2:443
[5067] 1602243520.377250: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[5067] 1602243520.377251: Response was from master KDC
[5067] 1602243520.377252: Decoding FAST response
[5067] 1602243520.377253: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[5067] 1602243520.377254: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[5067] 1602243520.377255: Generated subkey for TGS request: rc4-hmac/B487
[5067] 1602243520.377256: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[5067] 1602243520.377258: Encoding request body and padata into FAST request
[5067] 1602243520.377259: Sending request (1007 bytes) to FEDORAPROJECT.ORG
[5067] 1602243520.377260: Resolving hostname id.fedoraproject.org
[5067] 1602243520.377261: TLS certificate name matched "id.fedoraproject.org"
[5067] 1602243520.377262: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[5067] 1602243521.205462: Received answer (479 bytes) from https 2001:4178:2:1269::fed2:443
[5067] 1602243521.205463: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[5067] 1602243521.205464: Response was from master KDC
[5067] 1602243521.205465: Decoding FAST response
[5067] 1602243521.205466: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[5067] 1602243521.205472: ccselect module realm chose cache FILE:/tmp/krb5cc_58602 with client principal esindril@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG
[5067] 1602243521.205473: Getting credentials esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache FILE:/tmp/krb5cc_58602
[5067] 1602243521.205474: Retrieving esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_58602)
[5067] 1602243521.205475: Retrieving esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: 0/Success
[5067] 1602243521.205476: Starting with TGT for client realm: esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[5067] 1602243521.205477: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[5067] 1602243521.205478: Generated subkey for TGS request: rc4-hmac/B2F0
[5067] 1602243521.205479: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[5067] 1602243521.205481: Encoding request body and padata into FAST request
[5067] 1602243521.205482: Sending request (1007 bytes) to FEDORAPROJECT.ORG
[5067] 1602243521.205483: Resolving hostname id.fedoraproject.org
[5067] 1602243521.205484: TLS certificate name matched "id.fedoraproject.org"
[5067] 1602243521.205485: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[5067] 1602243521.205486: Received answer (479 bytes) from https 2001:4178:2:1269::fed2:443
[5067] 1602243521.205487: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[5067] 1602243521.205488: Response was from master KDC
[5067] 1602243521.205489: Decoding FAST response
[5067] 1602243521.205490: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[5067] 1602243521.205491: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[5067] 1602243521.205492: Generated subkey for TGS request: rc4-hmac/0241
[5067] 1602243521.205493: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[5067] 1602243521.205495: Encoding request body and padata into FAST request
[5067] 1602243521.205496: Sending request (1007 bytes) to FEDORAPROJECT.ORG
[5067] 1602243521.205497: Resolving hostname id.fedoraproject.org
[5067] 1602243521.205498: TLS certificate name matched "id.fedoraproject.org"
[5067] 1602243521.205499: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[5067] 1602243522.74147: Received answer (476 bytes) from https 2001:4178:2:1269::fed2:443
[5067] 1602243522.74148: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[5067] 1602243522.74149: Response was from master KDC
[5067] 1602243522.74150: Decoding FAST response
[5067] 1602243522.74151: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[5067] 1602243522.74155: Getting credentials esindril@FEDORAPROJECT.ORG -> host/koji.fedoraproject.org@FEDORAPROJECT.ORG using ccache FILE:/tmp/krb5cc_58602
[5067] 1602243522.74156: Retrieving esindril@FEDORAPROJECT.ORG -> host/koji.fedoraproject.org@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: 0/Success
[5067] 1602243522.74157: Creating authenticator for esindril@FEDORAPROJECT.ORG -> host/koji.fedoraproject.org@FEDORAPROJECT.ORG, seqnum 443637313, subkey (null), session key aes256-cts/5FB7
2020-10-09 13:38:42,524 [ERROR] koji: Fault: <Fault 1: "<class 'AttributeError'>: krbLogin">

Do you have any suggestion on what might be wrong here? This is for a newly created account. I created my account more than 24h ago.

Thank you.

A bit more info about the OS which is CentOS7:

uname -a 
Linux esdss000.cern.ch 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

It looks like very old client (krbLogin is replaced by gssapiLogin few version ago). Anyway, default koji client in centos7 works for me. What koji --debug hello prints?

$ podman run -ti --rm centos:7 bash
$ yum install koji krb5-workstation
$ kinit tkopecek@FEDORAPROJECT.ORG
$ koji hello
tervehdys, tkopecek!

You are using the hub at https://koji.fedoraproject.org/kojihub
Authenticated via GSSAPI

Metadata Update from @tkopecek:
- Custom field Size adjusted to None
3 years ago

Thank you for the quick reply. Indeed, we have an older version of koji 1.17.0. Updating to 1.21.1 which is the latest in EPEL7 throws a different error now:

 koji hello
2020-10-09 15:09:26,169 [ERROR] koji: AuthError: unable to obtain a session
[esindril@esdss000 tmp]$ KRB5_TRACE=/dev/stdout koji build --scratch epel8 /tmp/richacl-1.12-9.fc32.src.rpm 
[12724] 1602248969.492425: ccselect module realm chose cache FILE:/tmp/krb5cc_58602 with client principal esindril@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG
[12724] 1602248969.492426: Getting credentials esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache FILE:/tmp/krb5cc_58602
[12724] 1602248969.492427: Retrieving esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_58602)
[12724] 1602248969.492428: Retrieving esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: 0/Success
[12724] 1602248969.492429: Starting with TGT for client realm: esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[12724] 1602248969.492430: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[12724] 1602248969.492431: Generated subkey for TGS request: aes256-cts/2C2E
[12724] 1602248969.492432: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[12724] 1602248969.492434: Encoding request body and padata into FAST request
[12724] 1602248969.492435: Sending request (1059 bytes) to FEDORAPROJECT.ORG
[12724] 1602248969.492436: Resolving hostname id.fedoraproject.org
[12724] 1602248969.492437: TLS certificate name matched "id.fedoraproject.org"
[12724] 1602248969.492438: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[12724] 1602248969.492439: Received answer (484 bytes) from https 2001:4178:2:1269::fed2:443
[12724] 1602248969.492440: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[12724] 1602248969.492441: Response was from master KDC
[12724] 1602248969.492442: Decoding FAST response
[12724] 1602248969.492443: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[12724] 1602248969.492444: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[12724] 1602248969.492445: Generated subkey for TGS request: aes256-cts/78B8
[12724] 1602248969.492446: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[12724] 1602248969.492448: Encoding request body and padata into FAST request
[12724] 1602248969.492449: Sending request (1059 bytes) to FEDORAPROJECT.ORG
[12724] 1602248969.492450: Resolving hostname id.fedoraproject.org
[12724] 1602248969.492451: TLS certificate name matched "id.fedoraproject.org"
[12724] 1602248970.12707: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[12724] 1602248970.12708: Received answer (484 bytes) from https 2001:4178:2:1269::fed2:443
[12724] 1602248970.12709: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[12724] 1602248970.12710: Response was from master KDC
[12724] 1602248970.12711: Decoding FAST response
[12724] 1602248970.12712: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[12724] 1602248970.12718: ccselect module realm chose cache FILE:/tmp/krb5cc_58602 with client principal esindril@FEDORAPROJECT.ORG for server principal HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG
[12724] 1602248970.12719: Getting credentials esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG using ccache FILE:/tmp/krb5cc_58602
[12724] 1602248970.12720: Retrieving esindril@FEDORAPROJECT.ORG -> HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_58602)
[12724] 1602248970.12721: Retrieving esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_58602 with result: 0/Success
[12724] 1602248970.12722: Starting with TGT for client realm: esindril@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
[12724] 1602248970.12723: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals on
[12724] 1602248970.12724: Generated subkey for TGS request: aes256-cts/D3B1
[12724] 1602248970.12725: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[12724] 1602248970.12727: Encoding request body and padata into FAST request
[12724] 1602248970.12728: Sending request (1058 bytes) to FEDORAPROJECT.ORG
[12724] 1602248970.12729: Resolving hostname id.fedoraproject.org
[12724] 1602248970.12730: TLS certificate name matched "id.fedoraproject.org"
[12724] 1602248970.12731: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[12724] 1602248970.12732: Received answer (484 bytes) from https 2001:4178:2:1269::fed2:443
[12724] 1602248970.12733: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[12724] 1602248970.12734: Response was from master KDC
[12724] 1602248970.12735: Decoding FAST response
[12724] 1602248970.12736: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
[12724] 1602248970.12737: Requesting tickets for HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG, referrals off
[12724] 1602248970.12738: Generated subkey for TGS request: aes256-cts/FB35
[12724] 1602248970.12739: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, des3-cbc-sha1, rc4-hmac, camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4
[12724] 1602248970.12741: Encoding request body and padata into FAST request
[12724] 1602248970.12742: Sending request (1058 bytes) to FEDORAPROJECT.ORG
[12724] 1602248970.12743: Resolving hostname id.fedoraproject.org
[12724] 1602248970.12744: TLS certificate name matched "id.fedoraproject.org"
[12724] 1602248970.12745: Sending HTTPS request to https 2001:4178:2:1269::fed2:443
[12724] 1602248971.192982: Received answer (484 bytes) from https 2001:4178:2:1269::fed2:443
[12724] 1602248971.192983: Terminating TCP connection to https 2001:4178:2:1269::fed2:443
[12724] 1602248971.192984: Response was from master KDC
[12724] 1602248971.192985: Decoding FAST response
[12724] 1602248971.192986: TGS request result: -1765328377/Server HTTP/proxy-iad01.fedoraproject.org@FEDORAPROJECT.ORG not found in Kerberos database
2020-10-09 15:09:31,213 [ERROR] koji: AuthError: unable to obtain a session

Running the following version:

rpm -qa | grep koji
koji-1.21.1-1.el7.noarch
python2-koji-1.21.1-1.el7.noarch

This is probably more instructive:

 koji --debug hello
2020-10-09 15:24:25,136 [DEBUG] koji: Opening new requests session
2020-10-09 15:24:25,142 [DEBUG] koji: Opening new requests session
2020-10-09 15:24:27,363 [DEBUG] koji: Opening new requests session
2020-10-09 15:24:27,364 [DEBUG] koji: gssapi auth failed: HTTPError: 401 Client Error: Unauthorized

Traceback (most recent call last):
  File "/usr/bin/koji", line 335, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/lib/python2.7/site-packages/koji_cli/commands.py", line 7412, in handle_moshimoshi
    activate_session(session, options)
  File "/usr/lib/python2.7/site-packages/koji_cli/lib.py", line 700, in activate_session
    session.gssapi_login(proxyuser=runas)
  File "/usr/lib/python2.7/site-packages/koji/__init__.py", line 2578, in gssapi_login
    raise AuthError('unable to obtain a session')
koji.AuthError: unable to obtain a session

Check that you have: 

rdns = false

in /etc/krb5.conf

Indeed, this is what was missing. Putting in this option, everything works. Thanks for all the replies!

Metadata Update from @esindril:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
Normal
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.