Re: upcoming build and release developer flag day December 12 2016

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>> koji authentication will be switching to Kerberos. Koji supports multiple 
>>> authentication mechanisms. Fedora infrastructure has set up a freeipa instance 
>>> internally that has credential syncing to fas. We are working on ensuring that 
>>> gssapi caching is supported so that you can have multiple TGT's and the 
>>> ability to work in multiple reams at once. you can get started today by doing 
>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file 
>>> out of the way authentication will still work.
>>
>>   Can you expand (with links to webpages/wiki?) on multiple TGTs support?
>> At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG realm,
>> but I lose my primary principal ticket. This means I lose access to my services,
>> including access to web proxy being my internet gateway.
>>   What's the trick to have _both_ tickets active – for my organisation and for
>> Fedora – at the same time?  This is using default Ticket cache: KEYRING:persistent:…
>>
> You don't lose them (you can see both with `klist -A`). What happens is that the
> default ticket is the most recent one you got a TGT for. You can switch the
> default ticket back to your other one with `kswitch -p username@REALM`.
>
> We should probably look at an /etc/krb5.conf.d snippet to have the
> `fedora-packager` RPM provide that will add a section like:
>
> ```
> [domain_realm]
>   fedoraproject.org = FEDORAPROJECT.ORG
>   .fedoraproject.org = FEDORAPROJECT.ORG
>   fedorainfracloud.org = FEDORAPROJECT.ORG
>   .fedorainfracloud.org = FEDORAPROJECT.ORG
> ```
>
> This way, no matter which ticket is set to the default, it will route requests
> for services in those domains to the FEDORAPROJECT.ORG realm.
>

You mean something like this?

```
# rpm -qf /etc/krb5.conf.d/fedoraproject_org
fedora-packager-0.5.10.7-4.fc26.noarch

# cat /etc/krb5.conf.d/fedoraproject_org
[realms]
 FEDORAPROJECT.ORG = {
        kdc = https://id.fedoraproject.org/KdcProxy
 }
[domain_realm]
 .fedoraproject.org = FEDORAPROJECT.ORG
 fedoraproject.org = FEDORAPROJECT.ORG
```


Vít

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux