On 11/21/2016 08:07 AM, Vít Ondruch wrote:
>
>
> Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
>> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>>> koji authentication will be switching to Kerberos. Koji supports multiple
>>>> authentication mechanisms. Fedora infrastructure has set up a freeipa instance
>>>> internally that has credential syncing to fas. We are working on ensuring that
>>>> gssapi caching is supported so that you can have multiple TGT's and the
>>>> ability to work in multiple reams at once. you can get started today by doing
>>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file
>>>> out of the way authentication will still work.
>>>
>>> Can you expand (with links to webpages/wiki?) on multiple TGTs support?
>>> At the moment, when I use kinit on F25, I get ticket for @FEDORAPROJECT.ORG realm,
>>> but I lose my primary principal ticket. This means I lose access to my services,
>>> including access to web proxy being my internet gateway.
>>> What's the trick to have _both_ tickets active – for my organisation and for
>>> Fedora – at the same time? This is using default Ticket cache: KEYRING:persistent:…
>>>
>> You don't lose them (you can see both with `klist -A`). What happens is that the
>> default ticket is the most recent one you got a TGT for. You can switch the
>> default ticket back to your other one with `kswitch -p username@REALM`.
>>
>> We should probably look at an /etc/krb5.conf.d snippet to have the
>> `fedora-packager` RPM provide that will add a section like:
>>
>> ```
>> [domain_realm]
>> fedoraproject.org = FEDORAPROJECT.ORG
>> .fedoraproject.org = FEDORAPROJECT.ORG
>> fedorainfracloud.org = FEDORAPROJECT.ORG
>> .fedorainfracloud.org = FEDORAPROJECT.ORG
>> ```
>>
>> This way, no matter which ticket is set to the default, it will route requests
>> for services in those domains to the FEDORAPROJECT.ORG realm.
>>
>
So, it turns out that this doesn't work yet. It's complicated, but there's a
patch pending for Koji that will make this work. It hasn't landed yet. Hopefully
that will change before the flag day.
> You mean something like this?
>
> ```
> # rpm -qf /etc/krb5.conf.d/fedoraproject_org
> fedora-packager-0.5.10.7-4.fc26.noarch
>
> # cat /etc/krb5.conf.d/fedoraproject_org
> [realms]
> FEDORAPROJECT.ORG = {
> kdc = https://id.fedoraproject.org/KdcProxy
> }
> [domain_realm]
> .fedoraproject.org = FEDORAPROJECT.ORG
> fedoraproject.org = FEDORAPROJECT.ORG
> ```
>
You actually shouldn't need to specify the [realms] section at all, because of
some nice DNS magic. Getting the [domain_realm] section working needs koji to
accept the patch Patrick Uiterwijk mentioned elsewhere in this thread.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
