Ken Dreyer <ktdreyer@xxxxxxxxxxxx> writes: > On Tue, Mar 10, 2020 at 11:55 AM Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> >> when you see a proxy name there it usually means you have rdns true in >> /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true >> in /etc/koji.conf or ~/.koji.conf (should be false). > > I think those options only apply to the "old-style" Kerberos > authentication in Koji (that we want to remove upstream). > > The only way to affect the GSSAPI authentication that we do with > koji.fedoraproject.org is to edit [libdefaults] in /etc/krb5.conf. > > I've filed two tickets to improve the UX here: > > 1) Remove the old option from fedora.conf: > https://bugzilla.redhat.com/show_bug.cgi?id=1812702 > > 2) Better error messages from the koji gssapi_login method: > https://pagure.io/koji/issue/2063 > > I think the MIT Kerberos devs realize that this is a problem too, > because there is a new dns_canonicalize_hostname=fallback option in > krb 1.18. That option will help for the general case of proxying > applications that use GSSAPI auth. Right. To be clear, this has been the *default* in Fedora starting with fc30. Thanks, --Robbie
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
