Dne 21.11.2016 v 14:18 Vít Ondruch
napsal(a):
Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):On 11/21/2016 04:24 AM, Tomasz Torcz wrote:On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:koji authentication will be switching to Kerberos. Koji supports multiple authentication mechanisms. Fedora infrastructure has set up a freeipa instance internally that has credential syncing to fas. We are working on ensuring that gssapi caching is supported so that you can have multiple TGT's and the ability to work in multiple reams at once. you can get started today by doing kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file out of the way authentication will still work.Can you expand (with links to webpages/wiki?) on multiple TGTs support? At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG realm, but I lose my primary principal ticket. This means I lose access to my services, including access to web proxy being my internet gateway. What's the trick to have _both_ tickets active – for my organisation and for Fedora – at the same time? This is using default Ticket cache: KEYRING:persistent:…You don't lose them (you can see both with `klist -A`). What happens is that the default ticket is the most recent one you got a TGT for. You can switch the default ticket back to your other one with `kswitch -p username@REALM`. We should probably look at an /etc/krb5.conf.d snippet to have the `fedora-packager` RPM provide that will add a section like: ``` [domain_realm] fedoraproject.org = FEDORAPROJECT.ORG .fedoraproject.org = FEDORAPROJECT.ORG fedorainfracloud.org = FEDORAPROJECT.ORG .fedorainfracloud.org = FEDORAPROJECT.ORG ``` This way, no matter which ticket is set to the default, it will route requests for services in those domains to the FEDORAPROJECT.ORG realm.You mean something like this? ``` # rpm -qf /etc/krb5.conf.d/fedoraproject_org fedora-packager-0.5.10.7-4.fc26.noarch # cat /etc/krb5.conf.d/fedoraproject_org [realms] FEDORAPROJECT.ORG = { kdc = https://id.fedoraproject.org/KdcProxy Checking this ^^ against documentation, I wonder how this can be correct: ``` kdc - The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. ``` Vít } [domain_realm] .fedoraproject.org = FEDORAPROJECT.ORG fedoraproject.org = FEDORAPROJECT.ORG ```But apparently, with this snippet, I can't kinit anymore :/ ``` $ kinit vondruch@xxxxxxxxxxxxxxxxx kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while getting initial credentials $ sudo mv /etc/krb5.conf.d/fedoraproject_org{,.bak} $ kinit vondruch@xxxxxxxxxxxxxxxxx Password for vondruch@xxxxxxxxxxxxxxxxx: ``` Vít |
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx