Re: upcoming build and release developer flag day December 12 2016

Vít Ondruch <vondruch@xxxxxxxxxx> · Mon, 21 Nov 2016 14:07:39 +0100

Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>> koji authentication will be switching to Kerberos. Koji supports multiple 
>>> authentication mechanisms. Fedora infrastructure has set up a freeipa instance 
>>> internally that has credential syncing to fas. We are working on ensuring that 
>>> gssapi caching is supported so that you can have multiple TGT's and the 
>>> ability to work in multiple reams at once. you can get started today by doing 
>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file 
>>> out of the way authentication will still work.
>>
>>   Can you expand (with links to webpages/wiki?) on multiple TGTs support?
>> At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG realm,
>> but I lose my primary principal ticket. This means I lose access to my services,
>> including access to web proxy being my internet gateway.
>>   What's the trick to have _both_ tickets active – for my organisation and for
>> Fedora – at the same time?  This is using default Ticket cache: KEYRING:persistent:…
>>
> You don't lose them (you can see both with `klist -A`). What happens is that the
> default ticket is the most recent one you got a TGT for. You can switch the
> default ticket back to your other one with `kswitch -p username@REALM`.
>
> We should probably look at an /etc/krb5.conf.d snippet to have the
> `fedora-packager` RPM provide that will add a section like:
>
> ```
> [domain_realm]
>   fedoraproject.org = FEDORAPROJECT.ORG
>   .fedoraproject.org = FEDORAPROJECT.ORG
>   fedorainfracloud.org = FEDORAPROJECT.ORG
>   .fedorainfracloud.org = FEDORAPROJECT.ORG
> ```
>
> This way, no matter which ticket is set to the default, it will route requests
> for services in those domains to the FEDORAPROJECT.ORG realm.
>

You mean something like this?

```
# rpm -qf /etc/krb5.conf.d/fedoraproject_org
fedora-packager-0.5.10.7-4.fc26.noarch

# cat /etc/krb5.conf.d/fedoraproject_org
[realms]
 FEDORAPROJECT.ORG = {
        kdc = https://id.fedoraproject.org/KdcProxy
 }
[domain_realm]
 .fedoraproject.org = FEDORAPROJECT.ORG
 fedoraproject.org = FEDORAPROJECT.ORG
```

Vít

Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx