Dne 21.11.2016 v 14:18 Vít Ondruch napsal(a):
>
> Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):
>> Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
>>> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>>>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>>>> koji authentication will be switching to Kerberos. Koji supports multiple
>>>>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>>>>> instance
>>>>> internally that has credential syncing to fas. We are working on ensuring
>>>>> that
>>>>> gssapi caching is supported so that you can have multiple TGT's and the
>>>>> ability to work in multiple reams at once. you can get started today by
>>>>> doing
>>>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert
>>>>> file
>>>>> out of the way authentication will still work.
>>>> Can you expand (with links to webpages/wiki?) on multiple TGTs support?
>>>> At the moment, when I use kinit on F25, I get ticket for
>>>> @FEDORAPROJECT.ORG realm,
>>>> but I lose my primary principal ticket. This means I lose access to my
>>>> services,
>>>> including access to web proxy being my internet gateway.
>>>> What's the trick to have _both_ tickets active – for my organisation and
>>>> for
>>>> Fedora – at the same time? This is using default Ticket cache:
>>>> KEYRING:persistent:…
>>>>
>>> You don't lose them (you can see both with `klist -A`). What happens is
>>> that the
>>> default ticket is the most recent one you got a TGT for. You can switch the
>>> default ticket back to your other one with `kswitch -p username@REALM`.
>>>
>>> We should probably look at an /etc/krb5.conf.d snippet to have the
>>> `fedora-packager` RPM provide that will add a section like:
>>>
>>> ```
>>> [domain_realm]
>>> fedoraproject.org = FEDORAPROJECT.ORG
>>> .fedoraproject.org = FEDORAPROJECT.ORG
>>> fedorainfracloud.org = FEDORAPROJECT.ORG
>>> .fedorainfracloud.org = FEDORAPROJECT.ORG
>>> ```
>>>
>>> This way, no matter which ticket is set to the default, it will route
>>> requests
>>> for services in those domains to the FEDORAPROJECT.ORG realm.
>>>
>> You mean something like this?
>>
>> ```
>> # rpm -qf /etc/krb5.conf.d/fedoraproject_org
>> fedora-packager-0.5.10.7-4.fc26.noarch
>>
>> # cat /etc/krb5.conf.d/fedoraproject_org
>> [realms]
>> FEDORAPROJECT.ORG = {
>> kdc = https://id.fedoraproject.org/KdcProxyChecking this ^^ against documentation, I wonder how this can be correct: ``` kdc - The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. ``` Vít >> } >> [domain_realm] >> .fedoraproject.org = FEDORAPROJECT.ORG >> fedoraproject.org = FEDORAPROJECT.ORG >> ``` >> > But apparently, with this snippet, I can't kinit anymore :/ > > ``` > $ kinit [email protected] > kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while > getting initial credentials > > $ sudo mv /etc/krb5.conf.d/fedoraproject_org{,.bak} > > $ kinit [email protected] > Password for [email protected]: > > ``` > > > Vít > > > > _______________________________________________ > devel mailing list -- [email protected] > To unsubscribe send an email to [email protected]
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
