+     kerberos_gssapi_debug

+ ==============================

+ Koji Kerberos/GSSAPI debugging

+ ==============================

+ 

+ Run basic command Koji with debug option isn't help to debug Kerberos/GSSAPI issue.

+ In successful call you'll see what authentication method was used and was is the

+ koji server connected to:

+ 

+ ::

+ 

+     $ kinit my_account@FEDORAPROJECT.ORG

+     Password for my_account@FEDORAPROJECT.ORG:

+ 

+     $ koji hello

+     successfully connected to hub

+     dobrý den, my_account!

+ 

+     You are using the hub at https://koji.fedoraproject.org/kojihub

+     Authenticated via GSSAPI

+ 

+ ...or you can get some error:

+ 

+ ::

+ 

+     $ koji hello

+     2021-04-23 09:45:22,732 [ERROR] koji: (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin)

+     Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/

+     2021-04-23 09:45:22,734 [ERROR] koji: GSSAPIAuthError: unable to obtain a session (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin)

+     Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/

+ 

+ In this case we see not one but two errors while trying to authenticate. Let's

+ see what more info we can get:

+ 

+ ::

+ 

+     $ KRB5_TRACE=/dev/stdout python koji -d hello

+     2021-04-23 09:47:58,730 [DEBUG] koji: Opening new requests session

+     2021-04-23 09:47:58,731 [DEBUG] koji: Opening new requests session

+     2021-04-23 09:47:59,446 [DEBUG] koji: Opening new requests session

+     2021-04-23 09:47:59,446 [ERROR] koji: (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin)

+     Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/

+     Traceback (most recent call last):

+       File "/usr/bin/koji", line 335, in <module>

+         rv = locals()[command].__call__(options, session, args)

+       File "/home/tkopecek/cvs/koji/cli/koji_cli/commands.py", line 7496, in handle_moshimoshi

+         activate_session(session, options)

+       File "/home/tkopecek/cvs/koji/cli/koji_cli/lib.py", line 749, in activate_session

+         session.gssapi_login(proxyuser=runas)

+       File "/home/tkopecek/cvs/koji/koji/__init__.py", line 2513, in gssapi_login

+         raise GSSAPIAuthError(err)

+     koji.GSSAPIAuthError: unable to obtain a session (gssapi auth failed: requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://koji.fedoraproject.org/kojihub/ssllogin)

+     Use following documentation to debug kerberos/gssapi auth issues. https://docs.pagure.org/koji/kerberos_gssapi_debug/

+ 

+ We see no output from krbV library. It indicates that there was no significant

+ interaction with the library. Main reason would be missing ``kinit``. Fixing

+ this problem is pretty easy. What about other problems?

+ 

+ You can see wrong URL for the hub. Check if it is coming from system-wide config

+ ``/etc/koji.conf`` or anything in ``/etc/koji.conf.d`` or ``~/.koji/config``.

+ Maybe URL for your instance has changed or some old config was forgotten in

+ place.

+ 

+ Compare with successful output when krbV library does its work:

+ 

+ ::

+ 

+     $ KRB5_TRACE=/dev/stdout koji -d hello

+     2021-04-23 09:50:34,442 [DEBUG] koji: Opening new requests session

+     2021-04-23 09:50:34,442 [DEBUG] koji: Opening new requests session

+     [36315] 1619164236.523876: TXT record _kerberos.koji.fedoraproject.org. not found

+     [36315] 1619164236.523877: TXT record _kerberos.fedoraproject.org. found: FEDORAPROJECT.ORG

+     [36315] 1619164236.523878: ccselect module realm chose cache FILE:/tmp/krb5cc_1000 with client principal my_account@FEDORAPROJECT.ORG for server principal HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG

+     [36315] 1619164236.523879: Getting credentials my_account@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@ using ccache FILE:/tmp/krb5cc_1000

+     [36315] 1619164236.523880: Retrieving my_account@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@ from FILE:/tmp/krb5cc_1000 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000)

+     [36315] 1619164236.523881: Retrying my_account@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_1000)

+     [36315] 1619164236.523882: Server has referral realm; starting with HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG

+     [36315] 1619164236.523883: Retrieving my_account@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from FILE:/tmp/krb5cc_1000 with result: 0/Success

+     [36315] 1619164236.523884: Starting with TGT for client realm: my_account@FEDORAPROJECT.ORG -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG

+     [36315] 1619164236.523885: Requesting tickets for HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG, referrals on

+     [36315] 1619164236.523886: Generated subkey for TGS request: aes256-cts/A108

+     [36315] 1619164236.523887: etypes requested in TGS request: aes256-cts, aes128-cts, aes256-sha2, aes128-sha2, rc4-hmac, camellia128-cts, camellia256-cts

+     [36315] 1619164236.523889: Encoding request body and padata into FAST request

+     [36315] 1619164236.523890: Sending request (977 bytes) to FEDORAPROJECT.ORG

+     [36315] 1619164236.523891: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG.

+     [36315] 1619164236.523892: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/"

+     [36315] 1619164236.523893: Resolving hostname id.fedoraproject.org

+     [36315] 1619164236.523894: TLS certificate name matched "id.fedoraproject.org"

+     [36315] 1619164236.523895: Sending HTTPS request to https 152.19.134.142:443

+     [36315] 1619164237.522076: Received answer (929 bytes) from https 152.19.134.142:443

+     [36315] 1619164237.522077: Terminating TCP connection to https 152.19.134.142:443

+     [36315] 1619164237.522078: Response was from master KDC

+     [36315] 1619164237.522079: Decoding FAST response

+     [36315] 1619164237.522080: FAST reply key: aes256-cts/F6DC

+     [36315] 1619164237.522081: TGS reply is for my_account@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG with session key aes256-cts/A3FF

+     [36315] 1619164237.522082: TGS request result: 0/Success

+     [36315] 1619164237.522083: Received creds for desired service HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG

+     [36315] 1619164237.522084: Storing my_account@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@ in FILE:/tmp/krb5cc_1000

+     [36315] 1619164237.522086: Creating authenticator for my_account@FEDORAPROJECT.ORG -> HTTP/koji.fedoraproject.org@, seqnum 742219461, subkey aes256-cts/1CC1, session key aes256-cts/A3FF

+     successfully connected to hub

+     dobrý den, my_account!

+ 

+     You are using the hub at https://koji.fedoraproject.org/kojihub

+     Authenticated via GSSAPI

+ 

+ 

+ Most problems could be tracked down by this command plus kinit/klist tools. for

+ list of these consult next section.

+ 

+ General problems

+ ================

+ * *No KRB5_TRACE output* - You've not run ``kinit`` in first place, run ``kinit``.

+ * If yes, maybe ticket is no longer valid - check ``klist`` + run ``kinit``

+ * *Hub URL is wrong* - check configs, find out right URL for your environment,

+   update related packages (e.g. ``fedora-packager``)

+ * *Wrong service ticket* E.g because your instance is hidden behing

+   the proxy. In such case you'll see in output wrong principal. Right one would

+   look like ``HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG`` in our example.

+   (You can also check output of ``klist`` which will list it as "Ticket

+   Server").  Wrong one would be e.g.

+   ``HTTP/proxy10.fedoraproject.org@FEDORAPROJECT.ORG``.  Kerberos authentication

+   will fail in such case becase krbV library will not be able to get right

+   ticket. It could be caused by wrong ``/etc/krb5.conf`` settings.  Typical

+   error in this case would be that line ``dns_canonicalize_hostname = true`` is

+   missing. ``krbV`` will try to fetch service ticket for PTR instead of A DNS

+   record effectively asking for wrong service.

+ * *You can't get service ticket at all*. You've not set up the ``/etc/krb5.conf``

+   for relevant KDC/REALM. It shouldn't happen if you were able to ``kinit`` with

+   the correct credentials (It means that you've already set up something).

+   Anyway, you'll see following in the debug output

+ * *Your user account was disabled* This error is not krbV specific. But you can

+   hit it. In such case you will see simple message ``koji: AuthError: unable to

+   obtain a session``. From security reasons we don't display it differently from

+   non-existent account. If you've suspicion that it could be the reason you need

+   to check with your koji instance admin.

+ class GSSAPIAuthError(AuthError):

+     """Raised when GSSAPI issue in authentication"""

+     faultCode = 1023

+ 

+ 

+                 e_str = ''.join(traceback.format_exception_only(type(e), e)).strip('\n')

+                 e_str = '(gssapi auth failed: %s)\n' % e_str

+                 e_str += 'Use following documentation to debug kerberos/gssapi auth issues. ' \

+                          'https://docs.pagure.org/koji/kerberos_gssapi_debug/'

+                 self.logger.error(e_str)

+                 err += ' %s' % e_str

+             raise GSSAPIAuthError(err)

+         with self.assertRaises(koji.GSSAPIAuthError):

+         with self.assertRaises(koji.GSSAPIAuthError):