As @puiterwijk pointed out to me, this is because of the very old version of python-requests-kerberos (0.7.0) in epel7, which he plans on updating very soon.

The principal parameter is only passed if it is not None, so this shouldn't break normal gssapi auth on el7, just keytab auth, and only until the epel7 package is updated.

So, this not a 1.15 blocker.

I'm not sure we if want to support this version of the library, but perhaps it would be nice if we checked the library version and gave a better error than the one above.

In practice, on rhel7, the code will fail gssapi auth, but then fall through to the old kerberos auth, which succeeds.

[root@46c20d2bc4b6 koji]# PYTHONPATH=. cli/koji --debug -p stg --keytab /root/mikem.stg.keytab --principal mikem@STG.FEDORAPROJECT.ORG hello
2017-12-13 02:10:09,968 [DEBUG] koji: Opening new requests session
2017-12-13 02:10:09,972 [DEBUG] koji: Opening new requests session
2017-12-13 02:10:09,972 [DEBUG] koji: gssapi auth failed: TypeError: __init__() got an unexpected keyword argument 'principal'

2017-12-13 02:10:13,322 [DEBUG] koji: Using server principal: host/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
successfully connected to hub
bonjour, mikem!

You are using the hub at https://koji.stg.fedoraproject.org/kojihub
Authenticated via Kerberos principal mikem@STG.FEDORAPROJECT.ORG

PR #753

@puiterwijk is the python-gssapi update for epel7 tracked anywhere?

I'm curious how you got a Fedora keytab :)

Commit becc88c fixes this issue

Commit af1a858 relates to this ticket

RFE to update python-requests-kerberos in EPEL7: https://bugzilla.redhat.com/show_bug.cgi?id=1661580