On 11/21/2016 04:24 AM, Tomasz Torcz wrote: > On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote: >> koji authentication will be switching to Kerberos. Koji supports multiple >> authentication mechanisms. Fedora infrastructure has set up a freeipa instance >> internally that has credential syncing to fas. We are working on ensuring that >> gssapi caching is supported so that you can have multiple TGT's and the >> ability to work in multiple reams at once. you can get started today by doing >> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file >> out of the way authentication will still work. > > > Can you expand (with links to webpages/wiki?) on multiple TGTs support? > At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG realm, > but I lose my primary principal ticket. This means I lose access to my services, > including access to web proxy being my internet gateway. > What's the trick to have _both_ tickets active – for my organisation and for > Fedora – at the same time? This is using default Ticket cache: KEYRING:persistent:… > You don't lose them (you can see both with `klist -A`). What happens is that the default ticket is the most recent one you got a TGT for. You can switch the default ticket back to your other one with `kswitch -p username@REALM`. We should probably look at an /etc/krb5.conf.d snippet to have the `fedora-packager` RPM provide that will add a section like: ``` [domain_realm] fedoraproject.org = FEDORAPROJECT.ORG .fedoraproject.org = FEDORAPROJECT.ORG fedorainfracloud.org = FEDORAPROJECT.ORG .fedorainfracloud.org = FEDORAPROJECT.ORG ``` This way, no matter which ticket is set to the default, it will route requests for services in those domains to the FEDORAPROJECT.ORG realm.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx