On Tue, Mar 10, 2020 at 11:55 AM Kevin Fenzi <ke...@scrye.com> wrote: > > when you see a proxy name there it usually means you have rdns true in > /etc/krb5.conf (it should be false), or krb_rdns or krb_canon_host true > in /etc/koji.conf or ~/.koji.conf (should be false).
I think those options only apply to the "old-style" Kerberos authentication in Koji (that we want to remove upstream). The only way to affect the GSSAPI authentication that we do with koji.fedoraproject.org is to edit [libdefaults] in /etc/krb5.conf. I've filed two tickets to improve the UX here: 1) Remove the old option from fedora.conf: https://bugzilla.redhat.com/show_bug.cgi?id=1812702 2) Better error messages from the koji gssapi_login method: https://pagure.io/koji/issue/2063 I think the MIT Kerberos devs realize that this is a problem too, because there is a new dns_canonicalize_hostname=fallback option in krb 1.18. That option will help for the general case of proxying applications that use GSSAPI auth. - Ken _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
