#519 In-actionable error on python3 with gssapi error
Closed: Fixed 4 years ago Opened 5 years ago by puiterwijk.

When using python3 for the koji client, krbV is unavailable.
This leads to the following error if gssapi error fails (because the user had no ticket for example): "Please install python-krbV to use kerberos.".
If krbV is unavailable, we should instead make the gssapi error fatal.


For the future, related to this issue is that service principals of the form user/host@REALM (indicated in the default configuration files) will be unusable with mod_auth_gssapi unless they are actually mapped to local users in /etc/krb5.conf.

<Location /kojihub/ssllogin>
...
"GssapiLocalName On"
...

Unfortunately, if your kerberos installation is based on FreeIPA/SSSD, auth_to_local mapping in krb5.conf is overriden by the localauth_plugin provided by the sssd-client package.

The current recommendation from the FreeIPA community AFAIK, is to prefer service principals over user principals due to the fact that FreeIPA users will have lots of control over their own "account" in FreeIPA by default.

I report this since Koji is moving toward mod_auth_gssapi and I was running into this same error.

pr #518 was merged

Metadata Update from @mikem:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Metadata Update from @julian8628:
- Issue set to the milestone: 1.14

4 years ago

Login to comment on this ticket.

Metadata