Puiterwijk (talk | contribs) m (Puiterwijk moved page Infrastructure kerberos authentication to Infrastructure/Kerberos) |
Puiterwijk (talk | contribs) No edit summary |
||
Line 74: | Line 74: | ||
'''Answer:''' Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road. | '''Answer:''' Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road. | ||
== Extra info for Infrastructure people == | |||
To access nagios, you need to use Kerberos as well. | |||
This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false". |
Revision as of 17:17, 1 December 2016
Infrastructure kerberos authentication
Background
Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication.
Supported Services
- koji
Future Services
There are plans to enable other Fedora Infrastructure services. Please stay tuned to the announce and devel-announce lists.
Technical Details
Fedora Infrastructure still uses the Fedora Account System (fas), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors.
How to use kerberos auth with Fedora Infrastructure
Command line
- kinit <yourfasloginname>@FEDORAPROJECT.ORG
- enter your FAS password
- You should now be able to authenticate to supported services
- Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG
GUI (gnome/workstation)
- Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
- Enter FEDORAPROJECT.ORG for the domain
- Enter your FAS name in the name field.
- Enter your password when prompted.
Firefox
If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:
- Go to about:config
- Click the "I accept the risk" button
- Search for "network.negotiate-auth.trusted-uris"
- Double-click this option if it's not set to "https://", and set it to "https://"
Chromium/Chrome
For Chrome/Chromium, you need to create a policy file.
- For Chromium, the directory to put this in is /etc/chromium/policies/managed/ .
- For Chrome, the directory is /etc/opt/chrome/policies/managed/ (you might have to create this yourself).
In that, create a file (e.g. fedora_kerberos.json), with contents:
{ "AuthServerWhitelist": "*.fedoraproject.org" }
At this moment, there are no services announced yet that make use of the browser other than some internal infrastructure services. Stay tuned to announce and devel-announce lists.
Questions and Answers
Question: I have 2 (or more) domains I login to with kerberos and koji only seems to work when it's the last one I add, whats going on? (The error it will show is "Kerberos authentication failed: Server not found in Kerberos database (-1765328377)")
Answer: koji currently requires this, but there's a patch coming to fix it. In the mean time you can use 'kswitch' to switch which is primary.
Question: How can I see how long my ticket(s) are valid for?
Answer: use 'klist -A'
Question: I don't seem to be logged into the koji web interface after this, why not?
Answer: Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road.
Extra info for Infrastructure people
To access nagios, you need to use Kerberos as well. This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false".