Re: Kerberos authentication fails: unable to obtain a session

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ken Dreyer <ktdreyer@xxxxxxxxxxxx> writes:

> On Tue, Mar 10, 2020 at 11:55 AM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
>>
>> when you see a proxy name there it usually means you have rdns true in
>> /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true
>> in /etc/koji.conf or ~/.koji.conf (should be false).
>
> I think those options only apply to the "old-style" Kerberos
> authentication in Koji (that we want to remove upstream).
>
> The only way to affect the GSSAPI authentication that we do with
> koji.fedoraproject.org is to edit [libdefaults] in /etc/krb5.conf.
>
> I've filed two tickets to improve the UX here:
>
> 1) Remove the old option from fedora.conf:
> https://bugzilla.redhat.com/show_bug.cgi?id=1812702
>
> 2) Better error messages from the koji gssapi_login method:
> https://pagure.io/koji/issue/2063
>
> I think the MIT Kerberos devs realize that this is a problem too,
> because there is a new dns_canonicalize_hostname=fallback option in
> krb 1.18. That  option will help for the general case of proxying
> applications that use GSSAPI auth.

Right.  To be clear, this has been the *default* in Fedora starting with
fc30.

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux