Dne 13.12.2016 v 14:41 Stephen Gallagher napsal(a): > On 12/13/2016 03:52 AM, Vít Ondruch wrote: >> >> Dne 12.12.2016 v 22:33 Kevin Fenzi napsal(a): >>> On Mon, 12 Dec 2016 10:53:39 +0100 >>> Vít Ondruch <vondruch@xxxxxxxxxx> wrote: >>> >>>> So several questions: > ... >>> First, I'll note you don't need to get a new ticket every day, you can >>> just renew with 'kinit -R'. >> Not sure what is the difference here, may be you want to explain. >> > Well, this will depend on your behavior. If you reboot the machine every day, > then the default behavior of Kerberos in Fedora will not allow you to do `kinit > -R`. That's because we use the kernel keyring to store the credential caches and > they are wiped clean when the machine goes away. > > If the machine has remained online, then the `kinit -R` basically means "If this > ticket is permitted to renew itself, do that", which will extend its usable > lifetime up to the maximum renewal lifetime (in Fedora's case, renewals are > permitted to extend the lifetime up to one week). Thx for explanation. My conclusion is I should use "kinit" all the time, since "kinit -R" fails once per week anyway. The only difference is typing the password. Or actually, does the "kinit -R" preserve which ticket is primary? I could save the "kswitch" command ... > > >>> I am not sure what env kinit needs, but you >>> may even be able to do this from a cron job. That will work for 1 week. >> Again, you imply some additional settings on me. There were not needed >> so far. I needed to call "fedora-packager-setup" every six months, that >> was it. >> >> BTW you don't mention if the "fedora-packager-setup" is useful for >> something ATM. >> >>> As sgallagh noted downthread, gnome online accounts will hopefully >>> handle this for you soon as soon as that one bug is fixed. >> That should be fixed prior such changes are pushed. If it is not, there >> should be at least somebody pushing this forward. >> > It was an oversight, which I only discovered a few days before the flag day. I tried that, but with it was just one of the issues (with unclear cause and resolution to me) among others .... > A patch was immediately worked up and was expected to be ready in time, which is > why I didn't suggest postponing the flag day. > > Unfortunately, a discussion came up about whether the fix is happening in the > right component (realmd vs. gnome-online-accounts). It stalled out for a few > days, but I've now asked the maintainers to accept the band-aid patch for now, > so hopefully that will be cleared up very quickly. > Thx >>> >>> >>> Finally, I'll note that these tickets are more powerfull than the old >>> certs. The certs controlled authentication to just koji and uploads, >>> while tickets allow you to login to almost all our web apps as well. >> Once again, you make it sound like I dislike kerberos and hate this >> feature. But quite contrary, I believe that this is step in the right >> direction and I appreciate this change in general. Unfortunately, >> current status is far from ideal and the experience is worse then it >> used to be. >> > To be fair, the old experience was that approximately every six months, users > would get a cryptic error message, email the devel@ list and be told via > institutional knowledge holders that they needed to get a new certificate. I am pretty sure I was guilty as well at times ;) > At least in the case of Kerberos, the *reason* that things are failing is clearly > visible and easily searched. > > Remember, you're a long-time contributor with access to knowledge about a > thousand finicky things. To you, all those silly workarounds are second nature, > and thus when they change, it's disruptive. From the perspective of improving > things long-term (and so that new users aren't out of their depth), sometimes we > have to make changes like this. > > And yes, there are always bumps in the road. Any time you change a major > process, there will be issues you didn't expect or plan for. This would probably > have been mitigated if basically *anyone* besides Fedora Infra and myself had > bothered to beta-test the new Kerberos environment, but as with so many of our > Bodhi updates, they never actually get tested until they make it to the "stable" > repository. > > I was trying, that is why I noticed https://bugzilla.redhat.com/show_bug.cgi?id=1394677#c7 Vít
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
