Dne 21.11.2016 v 14:18 Vít Ondruch napsal(a):
>
> Dne 21.11.2016 v 14:07 Vít Ondruch napsal(a):
>> Dne 21.11.2016 v 13:36 Stephen Gallagher napsal(a):
>>> On 11/21/2016 04:24 AM, Tomasz Torcz wrote:
>>>> On Sat, Nov 19, 2016 at 07:11:25PM -0600, Dennis Gilmore wrote:
>>>>> koji authentication will be switching to Kerberos. Koji supports multiple
>>>>> authentication mechanisms. Fedora infrastructure has set up a freeipa
>>>>> instance
>>>>> internally that has credential syncing to fas. We are working on ensuring
>>>>> that
>>>>> gssapi caching is supported so that you can have multiple TGT's and the
>>>>> ability to work in multiple reams at once. you can get started today by
>>>>> doing
>>>>> kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert
>>>>> file
>>>>> out of the way authentication will still work.
>>>> Can you expand (with links to webpages/wiki?) on multiple TGTs support?
>>>> At the moment, when I use kinit on F25, I get ticket for
>>>> @FEDORAPROJECT.ORG realm,
>>>> but I lose my primary principal ticket. This means I lose access to my
>>>> services,
>>>> including access to web proxy being my internet gateway.
>>>> What's the trick to have _both_ tickets active – for my organisation and
>>>> for
>>>> Fedora – at the same time? This is using default Ticket cache:
>>>> KEYRING:persistent:…
>>>>
>>> You don't lose them (you can see both with `klist -A`). What happens is
>>> that the
>>> default ticket is the most recent one you got a TGT for. You can switch the
>>> default ticket back to your other one with `kswitch -p username@REALM`.
>>>
>>> We should probably look at an /etc/krb5.conf.d snippet to have the
>>> `fedora-packager` RPM provide that will add a section like:
>>>
>>> ```
>>> [domain_realm]
>>> fedoraproject.org = FEDORAPROJECT.ORG
>>> .fedoraproject.org = FEDORAPROJECT.ORG
>>> fedorainfracloud.org = FEDORAPROJECT.ORG
>>> .fedorainfracloud.org = FEDORAPROJECT.ORG
>>> ```
>>>
>>> This way, no matter which ticket is set to the default, it will route
>>> requests
>>> for services in those domains to the FEDORAPROJECT.ORG realm.
>>>
>> You mean something like this?
>>
>> ```
>> # rpm -qf /etc/krb5.conf.d/fedoraproject_org
>> fedora-packager-0.5.10.7-4.fc26.noarch
>>
>> # cat /etc/krb5.conf.d/fedoraproject_org
>> [realms]
>> FEDORAPROJECT.ORG = {
>> kdc = https://id.fedoraproject.org/KdcProxy
Checking this ^^ against documentation, I wonder how this can be correct:
```
kdc - The name or address of a host running a KDC for that realm.
An optional port number, separated from the hostname by a colon, may be
included. If the name or address contains colons (for example, if it is
an IPv6 address), enclose it in square brackets to distinguish the colon
from a port separator. For your computer to be able to communicate with
the KDC for each realm, this tag must be given a value in each realm
subsection in the configuration file, or there must be DNS SRV records
specifying the KDCs.
```
Vít
>> }
>> [domain_realm]
>> .fedoraproject.org = FEDORAPROJECT.ORG
>> fedoraproject.org = FEDORAPROJECT.ORG
>> ```
>>
> But apparently, with this snippet, I can't kinit anymore :/
>
> ```
> $ kinit vondr...@fedoraproject.org
> kinit: Cannot contact any KDC for realm 'FEDORAPROJECT.ORG' while
> getting initial credentials
>
> $ sudo mv /etc/krb5.conf.d/fedoraproject_org{,.bak}
>
> $ kinit vondr...@fedoraproject.org
> Password for vondr...@fedoraproject.org:
>
> ```
>
>
> Vít
>
>
>
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
