Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693531 - koji can't use kerberos auth
Summary: koji can't use kerberos auth
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: koji
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Mike McLean
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-28 06:20 UTC by Vasiliy Glazov
Modified: 2019-04-02 06:50 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-02 06:50:25 UTC


Attachments (Terms of Use)

Description Vasiliy Glazov 2019-03-28 06:20:51 UTC
Description of problem:
I am updated to F30 and cant use koji.

Version-Release number of selected component (if applicable):
koji-1.17.0-5.fc30.noarch
fedora-packager-0.6.0.2-5.fc30.noarch

How reproducible:
Always

Steps to Reproduce:
1.koji --debug hello

Actual results:
2019-03-28 09:18:32,069 [DEBUG] koji: Opening new requests session
2019-03-28 09:18:32,069 [DEBUG] koji: Opening new requests session
2019-03-28 09:18:32,672 [DEBUG] koji: Opening new requests session
2019-03-28 09:18:32,673 [DEBUG] koji: gssapi auth failed: requests.exceptions.SSLError: HTTPSConnectionPool(host='koji.fedoraproject.org', port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')))

Traceback (most recent call last):
  File "/usr/bin/koji", line 310, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/lib/python3.7/site-packages/koji_cli/commands.py", line 7233, in handle_moshimoshi
    activate_session(session, options)
  File "/usr/lib/python3.7/site-packages/koji_cli/lib.py", line 603, in activate_session
    session.krb_login(proxyuser=runas)
  File "/usr/lib/python3.7/site-packages/koji/__init__.py", line 2161, in krb_login
    if self.gssapi_login(principal, keytab, ccache, proxyuser=proxyuser):
  File "/usr/lib/python3.7/site-packages/koji/__init__.py", line 2315, in gssapi_login
    raise AuthError('unable to obtain a session')
koji.AuthError: unable to obtain a session


Expected results:
Normal work.

Additional info:
Files in /etc not changed

kinit password accepted.

$ klist -A
Ticket cache: KCM:1000
Default principal: vascom@FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
27.03.2019 16:35:58  28.03.2019 16:35:48  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
        renew until 03.04.2019 16:35:48

Please help solve problem.

Comment 1 Vasiliy Glazov 2019-03-29 14:05:23 UTC
After downgrading koji and python3-koji to 16.2 all wark good again.

Comment 2 Kevin Fenzi 2019-03-30 18:18:18 UTC
Can you upgrade again and do: 

KRB5_TRACE=/dev/stdout koji hello

and post the output here?

Additionally, do you have a /etc/koji/koji.conf.rpmnew or ~/.koji/config file(s)?

Comment 3 Vasiliy Glazov 2019-03-30 18:39:47 UTC
I am upgraded again.
Output of this command:
2019-03-30 21:35:30,171 [ERROR] koji: AuthError: unable to obtain a session

No any koji.conf.rpmnew. And no any config in ~/.koji/, it contain only cert files for rpmfusion's koji.

Comment 4 Kevin Fenzi 2019-03-30 18:49:42 UTC
Huh, there should be tons of output there, are you sure you ran it with 'KRB5_TRACE=/dev/stdout koji hello' ?

And can you try moving aside your ~/.koji/config just to test? 

and your /etc/koji.conf has:

authtype = kerberos
krb_rdns = false

right?

Comment 5 Vasiliy Glazov 2019-03-30 18:59:51 UTC
Here /etc/koji.conf https://paste.fedoraproject.org/paste/-PnyS5SnOi5SkHcRDwgBpQ

~/.koji/config is absent.

This is full output:

[vascom@v-glazov ~]$ KRB5_TRACE=/dev/stdout koji -d hello
2019-03-30 21:52:46,318 [DEBUG] koji: Opening new requests session
2019-03-30 21:52:46,318 [DEBUG] koji: Opening new requests session
2019-03-30 21:52:46,932 [DEBUG] koji: Opening new requests session
2019-03-30 21:52:46,933 [DEBUG] koji: gssapi auth failed: requests.exceptions
.SSLError: HTTPSConnectionPool(host='koji.fedoraproject.org', port=443): Max
retries exceeded with url: /kojihub/ssllogin (Caused by SSLError(SSLCertVerif
icationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed:
unable to get local issuer certificate (_ssl.c:1056)')))

Traceback (most recent call last):
  File "/usr/bin/koji", line 310, in <module>
    rv = locals()[command].__call__(options, session, args)
  File "/usr/lib/python3.7/site-packages/koji_cli/commands.py", line 7233, in
 handle_moshimoshi
    activate_session(session, options)
  File "/usr/lib/python3.7/site-packages/koji_cli/lib.py", line 603, in activ
ate_session
    session.krb_login(proxyuser=runas)
  File "/usr/lib/python3.7/site-packages/koji/__init__.py", line 2161, in krb
_login
    if self.gssapi_login(principal, keytab, ccache, proxyuser=proxyuser):
  File "/usr/lib/python3.7/site-packages/koji/__init__.py", line 2315, in gss
api_login
    raise AuthError('unable to obtain a session')
koji.AuthError: unable to obtain a session
[vascom@v-glazov ~]$
0$* vascom@v-glazo

Comment 6 Kevin Fenzi 2019-03-30 19:05:30 UTC
Can you load https://koji.fedoraproject.org/koji in a browser on the same system?

How about: 

curl -v https://koji.fedoraproject.org/koji

Comment 7 Vasiliy Glazov 2019-03-30 19:09:50 UTC
Yes I can load site in btowser.

Curl output https://paste.fedoraproject.org/paste/HoTPz9hOuaaT9mjF53yT4Q

Comment 8 Kevin Fenzi 2019-03-30 19:29:51 UTC
ok, how about: 

python3

then 

import requests

then 

r = requests.get(‘https://koji.fedoraproject.org/koji’)

any error(s) there? It seems like something is off with your python3-requests setup somehow.

Comment 9 Vasiliy Glazov 2019-03-30 19:33:24 UTC
I am copy command from you and get this:

vascom@v-glazov ~]$ python3
Python 3.7.3 (default, Mar 27 2019, 13:36:35)
[GCC 9.0.1 20190227 (Red Hat 9.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get(‘https://koji.fedoraproject.org/koji’)
  File "<stdin>", line 1
    r = requests.get(‘https://koji.fedoraproject.org/koji’)
                          ^
SyntaxError: invalid character in identifier

Comment 10 Kevin Fenzi 2019-03-30 21:08:56 UTC
bugzilla might have messed with the 's there... make sure they are single quotes, not fancy smart quotes?

Comment 11 Vasiliy Glazov 2019-03-31 04:04:16 UTC
When I type it manually there is no any errors:

vascom@v-glazov ~]$ python3
Python 3.7.3 (default, Mar 27 2019, 13:36:35)
[GCC 9.0.1 20190227 (Red Hat 9.0.1-0.8)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('https://koji.fedoraproject.org/koji')
>>>

Comment 12 Kevin Fenzi 2019-04-01 19:44:47 UTC
So, if you make a new user, kinit as your fedoraproject user and do koji hello does it work there?

Comment 13 Patrick Uiterwijk 2019-04-01 20:15:15 UTC
Did you put the CA certificate for RPMFusion in your homedir, under .koji/serverca.crt?
Because if that file exists, it gets used as the default for CA verification, even if you do not have any configuration to use it.

If that's the case, move that file to ~/.koji/serverca_rpmfusion.crt, and change the rpmfusion code to have a line "serverca = ~/.koji/serverca_rpmfusion.crt".

Comment 14 Vasiliy Glazov 2019-04-02 06:12:57 UTC
Thanks it work.
But in koji 1.16.2 it has other behavior.

This change will keep or it is bug?

Comment 15 Patrick Uiterwijk 2019-04-02 06:50:25 UTC
This was a bugfix in 1.17.0 (https://pagure.io/koji/c/27abb872c?branch=master), so I'd guess that this behavior will remain.


Note You need to log in before you can comment on or make changes to this bug.