From Fedora Project Wiki

Infrastructure kerberos authentication

Background

Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication.

Supported Services

  • koji
  • All Fedora Infrastructure ipsilon using applications via GSSAPI

Technical Details

Fedora Infrastructure still uses the Fedora Account System (FAS), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors. Also, via the ipsilon identity management server and GSSAPI we are able to use Kerberos tickets to authenticate users to any services that use ipsilon.

How to use kerberos auth with Fedora Infrastructure

Command line

  • Install the krb5-workstation package (sudo dnf install krb5-workstation) if you do not have kinit command available.
  • Edit /etc/krb5.conf as following
    includedir /etc/krb5.conf.d/
    
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      default_ccache_name = KEYRING:persistent:%{uid}
      dns_canonicalize_hostname = false
    
    [realms]
    
    [domain_realm]
  • Create the file /etc/krb5.conf.d/fedoraproject_org with the following content
    [realms]
     FEDORAPROJECT.ORG = {
            kdc = https://id.fedoraproject.org/KdcProxy
     }
    [domain_realm]
     .fedoraproject.org = FEDORAPROJECT.ORG
     fedoraproject.org = FEDORAPROJECT.ORG
    
    Note.png
    Note
    See section Debugging problems to double sure the configuration
  • kinit <yourfasloginname>@FEDORAPROJECT.ORG
  • Note.png
    Note
    Yes, upper-case FEDORAPROJECT.ORG — that's the convention for Kerberos.

    You can set default_realm = FEDORAPROJECT.ORG at libdefaults section to avoid each typing @FEDORAPROJECT.ORG

  • Enter your FAS password
  • Note.png
    Note
    You should now be able to authenticate to supported services (koji and lookaside upload)

    Tickets are valid for 24 hours and can be renewed for 1 week.

    You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG
  • Store your FAS username (all lower case) in ~/.fedora.upn (This is not actually needed for Kerberos but for other tools that used the Fedora client certificate to determine the FAS username)
  • Note.png
    Note
    You need to do this regularly whenever fedpkg or koji authentication fail. There is no support for these tools to prompt you automatically when the ticket expired.

GUI (gnome/workstation)

  • Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
  • Enter your FAS name @FEDORAPROJECT.ORG for the principal, e.g. fas@FEDORAPROJECT.ORG.
  • Enter your password when prompted.

Firefox

If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:

  • Go to about:config
  • Click the "I accept the risk" button
  • Search for "network.negotiate-auth.trusted-uris"
  • Double-click this option if it's not set to "https://", and set it to "https://"

Chromium/Chrome

For Chrome/Chromium, you need to create a policy file.

  • For Chromium, the directory to put this in is /etc/chromium/policies/managed/ .
  • For Chrome, the directory is /etc/opt/chrome/policies/managed/ (you might have to create this yourself).

In that, create a file (e.g. fedora_kerberos.json), with contents:

{
	"AuthServerWhitelist": "*.fedoraproject.org",
	"AuthNegotiateDelegateWhitelist": "*.fedoraproject.org"
}


For Mac Chrome/Chromium, you need to enter command


	sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist '.fedoraproject.org'
	sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist '.fedoraproject.org'

Questions and Answers

Question: Is there any particular format for username / domain I need to use?

Answer: Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, username@FEDORAPROJECT.ORG

Question: How can I see how long my ticket(s) are valid for?

Answer: use klist -A

Question: I don't seem to be logged into the koji web interface after this, why not?

Answer: Logging into the koji web interface doesn't really get you much of anything, but you can get a valid ticket and then go to https://koji.fedoraproject.org/koji/login in your browser and you will be logged in.

Question: When I run kinit I get: Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

Answer: Login to FAS and then retry. Your information needs to be synced from FAS to the IPA server. Logging into FAS does so.

Question: I did that (logged into FAS) in the last answer, and it didn't help, I still get the same error message. What's going on?

Answer: For some small number of users there may be some issue with syncing information from fas->ipa. If this happens to you, please file an infrastructure ticket or talk with us on #fedora-admin[?] and we can manually fix things.

Question: It's not working for me, how can I gather debugging information?

Answer: Run the command with KRB5_TRACE=/dev/stdout in front of it and it should print a lot of debugging information.

Question: koji and/or fedpkg don't seem to be working for me.

Answer: Make sure you have upgraded to the versions listed above and also make sure you fold changes from /etc/koji.conf.rpmnew (if you ever modified your /etc/koji.conf) and your ~/.koji/config. Note that in normal operation you can just use the stock /etc/koji.conf from the koji package and there is no need for a ~/.koji/config. If it still doesn't work also check /etc/rpkg/fedpkg.conf.rpmnew and update your old config if it exists.

Question: Where should I report problems or get help?

Answer: #fedora-admin[?] on IRC or file a fedora-infrastructure ticket and we will try and assist you!

Question: "kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials"?

Answer: Try adding "includedir /etc/krb5.conf.d/" as the top line in the /etc/krb5.conf file

Question: "kinit: KDC can't fulfill requested option while renewing credentials"?

Answer: When getting the initial ticket, use kinit -r <secs> to get a renewable ticket. Or add "renew_lifetime = <lifetime>", where <lifetime> is for example 7d, to the [libdefaults] section of /etc/krb5.conf.

Question: After entering my password I get: Password incorrect while getting initial credentials

Answer: Please make sure you enter your correct password. If you are sure you entered the correct password, but it doesn't work, please visit the Fedora Account System and log in and change your password. NOTE: Resetting your password does *NOT* update the Kerberos password. If you forgot your password, first use the password reset feature and then log in again to FAS and use the change password link.

Question: Using Koji, I get an error "ImportError: Please install python-krbV to use kerberos"

Answer: Please make sure that in /etc/krb5.conf, under [libdefaults], the option "rdns = false" is set. Note that this might break some non-Fedora krb5 services, but this is required to make GSSAPI work against Fedora services.

Question: I'm on a windows machine and I get a pop up window asking me for login and password and no matter what I enter there it doesn't work. Whats going on?

Answer: This is windows seeing that you have a kerberos ticket and trying to authenticate as if it was a active directory setup. This will not work at all. When you get a windows authentication pop up, press 'cancel' and you should instead see the fedoraproject login/pass in the web browser page, enter your information here and you should authenticate.

Debugging problems

There is a script that can check your configuration and tell you if there is any common problem. Just clone the repository and run the script.

$ git clone https://github.com/puiterwijk/KrbDebug.git
$ cd KrbDebug/
$ ./KrbDebug

Extra info for Infrastructure people

To access nagios, you need to use Kerberos as well. This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false" and "dns_canonicalize_hostname = false".