https://copr.fedorainfracloud.org/ supports login with Kerberos (gssapi-login). The login works fine if the user has a TGT for just FEDORAPROJECT.ORG or the current primary ticket cache contains a TGT for FEDORAPROJECT.ORG realm. However it does not work if I'm logged into multiple realms and my primary ticket cache contains a TGT for another realm. This is a very common scenario for Red Hatters as they are typically logged into Red Hat's internal IPA realm, too.
Kerberos / GSS-API is able to automatically switch to the correct cache IFF Kerberos can figure out the correct realm for an URL. Since Fedora's Kerberos realm supports and prefers DNS discovery, the realm is detected by looking up a DNS TXT record for _kerberos, e.g. realm for www.fedoraproject.org is looked up from _kerberos.fedoraproject.org. However the COPR is hosted on fedorainfracloud.org, which does not have a _kerberos TXT record:
_kerberos
www.fedoraproject.org
_kerberos.fedoraproject.org
fedorainfracloud.org
$ host -t TXT _kerberos.fedoraproject.org _kerberos.fedoraproject.org descriptive text "FEDORAPROJECT.ORG" $ host -t TXT _kerberos.fedorainfracloud.org Host _kerberos.fedorainfracloud.org not found: 3(NXDOMAIN)
Kerberos / GSS-API is not able to map the host to the correct realm and falls back to use the TGT from the primary cache.
$ KRB5_TRACE=/dev/stdout curl --negotiate -u: https://copr.fedorainfracloud.org/api_3/gssapi_login/web-ui/ [213621] 1688062070.080260: TXT record _kerberos.copr.fedorainfracloud.org. not found [213621] 1688062070.080261: TXT record _kerberos.fedorainfracloud.org. not found [213621] 1688062070.080262: TXT record _kerberos.org. not found [213621] 1688062070.080263: ccselect can't find appropriate cache for server principal HTTP/copr.fedorainfracloud.org@FEDORAINFRACLOUD.ORG [213621] 1688062070.080264: Getting credentials cheimes@IPA.REDHAT.COM -> HTTP/copr.fedorainfracloud.org@ using ccache KCM:1000:9442 ... <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title>
Login works if I switch to my FEDORAPROJECT.ORG principal first:
$ kswitch -p cheimes@FEDORAPROJECT.ORG $ KRB5_TRACE=/dev/stdout curl --negotiate -u: https://copr.fedorainfracloud.org/api_3/gssapi_login/web-ui/ [215965] 1688062536.576759: ccselect can't find appropriate cache for server principal HTTP/copr.fedorainfracloud.org@FEDORAINFRACLOUD.ORG [215965] 1688062536.576760: Getting credentials cheimes@FEDORAPROJECT.ORG -> HTTP/copr.fedorainfracloud.org@ using ccache KCM:1000 [215965] 1688062536.576761: Retrieving cheimes@FEDORAPROJECT.ORG -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found [215965] 1688062536.576762: Retrieving cheimes@FEDORAPROJECT.ORG -> HTTP/copr.fedorainfracloud.org@ from KCM:1000 with result: 0/Success [215965] 1688062536.576764: Creating authenticator for cheimes@FEDORAPROJECT.ORG -> HTTP/copr.fedorainfracloud.org@, seqnum 139234564, subkey aes256-cts/BA35, session key aes256-cts/20C
I believe that a DNS TXT record _kerberos.fedorainfracloud.org with value FEDORAPROJECT.ORG will fix the issue for users with Kerberos setting dns_lookup_realm = true.
_kerberos.fedorainfracloud.org
FEDORAPROJECT.ORG
dns_lookup_realm = true
I have tried to solve this by extending fedora-packager-kerberos configuration. Added snippet:
$ cat /etc/krb5.conf.d/fedoraproject_org.infra [domain_realm] .fedorainfracloud.org = FEDORAPROJECT.ORG fedorainfracloud.org = FEDORAPROJECT.ORG
This configuration does not require DNS infrastructure, but it does not work anyway. Strange is it does not work in firefox and curl, but it does in chromium.
If I include my custom mapping into ~/.k5identity, it fixes that:
pemensik@FEDORAPROJECT.ORG host=*.fedorainfracloud.org
But I would like to have working system-wide package, which works for all users.
Related change to fedora-packager: https://pagure.io/fedora-packager/pull-request/177
Found when I comment out token from ~/.config/copr, then do KRB5_TRACE=/dev/stderr copr list-permissions pemensik/bind, it actually attempts to login using kerberos from that command line. Fails in my configuration though. As soon as I uncomment k5identity magic line, it works.
~/.config/copr
KRB5_TRACE=/dev/stderr copr list-permissions pemensik/bind
FWIW, centos.org has a Kerberos TXT record:
$ host -t TXT _kerberos.centos.org _kerberos.centos.org descriptive text "FEDORAPROJECT.ORG"
I don't know why domain_realm settings do not affect KRB5's ccselect. @simo and @abbra may know.
I don't have any problem adding the dns record here.
I've now done so, can you both test and confirm it works as desired?
Yes, it works as accepted if krb5.conf does not contain dns_lookup_realm = false. The option defaults to true.
krb5.conf
dns_lookup_realm = false
$ KRB5_TRACE=/dev/stdout curl --negotiate -u: https://copr.fedorainfracloud.org/api_3/gssapi_login/web-ui/ [549823] 1688152381.069135: TXT record _kerberos.copr.fedorainfracloud.org. not found [549823] 1688152381.069136: TXT record _kerberos.fedorainfracloud.org. found: FEDORAPROJECT.ORG [549823] 1688152381.069137: ccselect module realm chose cache KCM:1000 with client principal cheimes@FEDORAPROJECT.ORG for server principal HTTP/copr.fedorainfracloud.org@FEDORAPROJECT.ORG [549823] 1688152381.069138: Getting credentials cheimes@FEDORAPROJECT.ORG -> HTTP/copr.fedorainfracloud.org@ using ccache KCM:1000 ... [549823] 1688152382.165775: Creating authenticator for cheimes@FEDORAPROJECT.ORG -> HTTP/copr.fedorainfracloud.org@, seqnum 186744181, subkey aes256-cts/9E62, session key aes256-cts/5CF6 <!doctype html> <html lang=en> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to the target URL: <a href="https://copr.fedorainfracloud.org/">https://copr.fedorainfracloud.org/</a>. If not, click the link.
The option defaults to true maybe, but krb5-libs default config contains:
[libdefaults] dns_lookup_realm = false ...
Yes, I confirm this fixes it for machine with dns_lookup_realm = true.
On my other machine, which keeps default /etc/krb5.conf unmodified with dns_lookup_realm = false, does not login successfully. It tries my primary krb5 realm from REDHAT.COM, which of course fails to authenticate.
Metadata Update from @phsmoura: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
I'm not sure what else we can do here...
I'm not a big fan of the fedora-packager config idea, because many people who might want to authenticate with copr will not have that installed. Also, it sounds like that doesn't work with all the various settings possible. ;(
So, should we just call this good? Or is there more we can do?
Feel free to reopen this if there's further action here.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.