From Fedora Project Wiki
(→‎Chromium/Chrome: Add missing parameter required for Kerberos authentication with Chrome/Chromium)
(Added Q&A for a problem with renewing the kerberos ticket on F30+. Related: https://pagure.io/fedora-infrastructure/issue/8470)
(19 intermediate revisions by 11 users not shown)
Line 13: Line 13:
== Technical Details ==
== Technical Details ==


Fedora Infrastructure still uses the Fedora Account System (fas), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors. Also, via the ipsilon identity management server and GSSAPI we are able to use kerberos tickets to authenticate users to any services that use ipsilon.  
Fedora Infrastructure still uses the Fedora Account System (FAS), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors. Also, via the [https://pagure.io/ipsilon ipsilon] identity management server and GSSAPI we are able to use Kerberos tickets to authenticate users to any services that use ipsilon.


== How to use kerberos auth with Fedora Infrastructure ==
== How to use kerberos auth with Fedora Infrastructure ==
Line 19: Line 19:
=== Command line ===
=== Command line ===


* kinit <yourfasloginname>@FEDORAPROJECT.ORG  
* Store your FAS username (all lower case) in <code>~/.fedora.upn</code> (This is not actually needed for Kerberos but for other tools that used the Fedora client certificate to determine the FAS username)
* enter your FAS password
* <code>kinit <yourfasloginname>@FEDORAPROJECT.ORG</code>
* You should now be able to authenticate to supported services  
** (Yes, upper-case FEDORAPROJECT.ORG — that's the convention for Kerberos.)
** You need to do this regularly whenever fedpkg or koji authentication fail. There is no support for these tools to prompt you automatically when the ticket expired.
** Install the <code>krb5-workstation</code> package (<code>sudo dnf install krb5-workstation</code>) if you do not have <code>kinit</code> command available.
** You can set <code>default_realm = FEDORAPROJECT.ORG</code> in  <code>/etc/krb5.conf</code> to avoid each typing <code>@FEDORAPROJECT.ORG</code>.
* Enter your FAS password
* You should now be able to authenticate to supported services (koji and lookaside upload)


* Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG
* Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with <code>kinit -R <yourfasloginname>@FEDORAPROJECT.ORG</code>


=== GUI (gnome/workstation) ===
=== GUI (gnome/workstation) ===


* Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
* Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
* Enter FEDORAPROJECT.ORG for the domain
* Enter your FAS name @FEDORAPROJECT.ORG for the principal, e.g. fas@FEDORAPROJECT.ORG.
* Enter your FAS name in the name field.  
* Enter your password when prompted.  
* Enter your password when prompted.  


Line 55: Line 59:
"AuthNegotiateDelegateWhitelist": "*.fedoraproject.org"
"AuthNegotiateDelegateWhitelist": "*.fedoraproject.org"
}
}
</pre>
For Mac Chrome/Chromium, you need to enter command
<pre>
sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist '.fedoraproject.org'
sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist '.fedoraproject.org'
</pre>
</pre>


Line 61: Line 75:
'''Question:''' Is there any particular format for username / domain I need to use?
'''Question:''' Is there any particular format for username / domain I need to use?


'''Answer:''' Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, username@FEDORAPROJECT.ORG
'''Answer:''' Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, <code>username@FEDORAPROJECT.ORG</code>
 
'''Question:''' I have 2 (or more) domains I login to with kerberos and koji only seems to work when it's the last one I add, whats going on? (The error it will show is "Kerberos authentication failed: Server not found in Kerberos database (-1765328377)")
 
'''Answer:''' koji currently requires this, but there's a patch coming to fix it. In the mean time you can use 'kswitch' to switch which is primary.


'''Question:''' How can I see how long my ticket(s) are valid for?
'''Question:''' How can I see how long my ticket(s) are valid for?


'''Answer:''' use 'klist -A'
'''Answer:''' use <code>klist -A</code>


'''Question:''' I don't seem to be logged into the koji web interface after this, why not?
'''Question:''' I don't seem to be logged into the koji web interface after this, why not?


'''Answer:''' Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road.
'''Answer:''' Logging into the koji web interface doesn't really get you much of anything, but you can get a valid ticket and then go to https://koji.fedoraproject.org/koji/login in your browser and you will be logged in.


'''Question:''' When I run kinit I get: Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials
'''Question:''' When I run kinit I get: Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials


'''Answer:''' Login to fas ( https://admin.fedoraproject.org/accounts ) and then retry. Your information needs to be synced from fas to the ipa server. Logging into fas does so.
'''Answer:''' Login to [https://admin.fedoraproject.org/accounts FAS] and then retry. Your information needs to be synced from FAS to the IPA server. Logging into FAS does so.


'''Question:''' I did that (logged into FAS) in the last answer, and it didn't help, I still get the same error message. Whats going on?
'''Question:''' I did that (logged into FAS) in the last answer, and it didn't help, I still get the same error message. What's going on?


'''Answer:''' For some small number of users there may be some issue with syncing information from fas->ipa. If this happens to you, please file an infrastructure ticket or talk with us on #fedora-admin and we can manually fix things.  
'''Answer:''' For some small number of users there may be some issue with syncing information from fas->ipa. If this happens to you, please file an infrastructure ticket or talk with us on {{fpchat|#fedora-admin}} and we can manually fix things.  


'''Question:''' It's not working for me, how can I gather debugging information?
'''Question:''' It's not working for me, how can I gather debugging information?


'''Answer:''' Run the command with KRB5_TRACE=/dev/stdout in front of it and it should print a lot of debugging information.  
'''Answer:''' Run the command with <code>KRB5_TRACE=/dev/stdout</code> in front of it and it should print a lot of debugging information.  


'''Question:''' koji and/or fedpkg don't seem to be working for me.
'''Question:''' koji and/or fedpkg don't seem to be working for me.


'''Answer:''' Make sure you have upgraded to the versions listed above and also make sure you fold changes from /etc/koji.conf.rpmnew (if you ever modified your /etc/koji.conf) and your ~/.koji/config. Note that in normal operation you can just use the stock /etc/koji.conf from the koji package and there is no need for a ~/.koji/config.
'''Answer:''' Make sure you have upgraded to the versions listed above and also make sure you fold changes from <code>/etc/koji.conf.rpmnew</code> (if you ever modified your <code>/etc/koji.conf</code>) and your <code>~/.koji/config</code>. Note that in normal operation you can just use the stock <code>/etc/koji.conf</code> from the koji package and there is no need for a <code>~/.koji/config</code>. If it still doesn't work also check <code>/etc/rpkg/fedpkg.conf.rpmnew</code> and update your old config if it exists.


'''Question:''' Where should I report problems or get help?  
'''Question:''' Where should I report problems or get help?  


'''Answer:''' #fedora-admin on IRC or file a fedora-infrastructure ticket and we will try and assist you!
'''Answer:''' {{fpchat|#fedora-admin}} on IRC or [https://pagure.io/fedora-infrastructure/issues file a fedora-infrastructure ticket] and we will try and assist you!
 
'''Question:''' "kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials"?
 
'''Answer:'''  Try adding "includedir /etc/krb5.conf.d/" as the top line in the /etc/krb5.conf file
 
'''Question:''' "kinit: KDC can't fulfill requested option while renewing credentials"?
 
'''Answer:'''  When getting the initial ticket, use kinit -r <secs> to get a renewable ticket. Or add "renew_lifetime = <lifetime>", where <lifetime> is for example 7d, to the [libdefaults] section of /etc/krb5.conf.
 
'''Question:''' After entering my password I get: Password incorrect while getting initial credentials
 
'''Answer:''' Please make sure you enter your correct password. If you are sure you entered the correct password, but it doesn't work, please visit the [https://admin.fedoraproject.org/accounts/ Fedora Account System] and log in and change your password. '''NOTE: Resetting your password does *NOT* update the Kerberos password.''' If you forgot your password, first use the password reset feature and then log in again to FAS and use the change password link.
 
'''Question:''' Using Koji, I get an error "ImportError: Please install python-krbV to use kerberos"
 
'''Answer:''' Please make sure that in /etc/krb5.conf, under [libdefaults], the option "rdns = false" is set. Note that this might break some non-Fedora krb5 services, but this is required to make GSSAPI work against Fedora services.


== Debugging problems ==
== Debugging problems ==


There is [https://github.com/puiterwijk/KrbDebug/blob/master/KrbDebug a script that can check you configuration] and tell you if there is any common problem. Just clone the repository and run the script.
There is [https://github.com/puiterwijk/KrbDebug/blob/master/KrbDebug a script that can check your configuration] and tell you if there is any common problem. Just clone the repository and run the script.


<pre>
<pre>
Line 108: Line 134:


To access nagios, you need to use Kerberos as well.
To access nagios, you need to use Kerberos as well.
This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false".
This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false" and "dns_canonicalize_hostname = false".

Revision as of 21:01, 17 December 2019

Infrastructure kerberos authentication

Background

Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication.

Supported Services

  • koji
  • All Fedora Infrastructure ipsilon using applications via GSSAPI

Technical Details

Fedora Infrastructure still uses the Fedora Account System (FAS), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors. Also, via the ipsilon identity management server and GSSAPI we are able to use Kerberos tickets to authenticate users to any services that use ipsilon.

How to use kerberos auth with Fedora Infrastructure

Command line

  • Store your FAS username (all lower case) in ~/.fedora.upn (This is not actually needed for Kerberos but for other tools that used the Fedora client certificate to determine the FAS username)
  • kinit <yourfasloginname>@FEDORAPROJECT.ORG
    • (Yes, upper-case FEDORAPROJECT.ORG — that's the convention for Kerberos.)
    • You need to do this regularly whenever fedpkg or koji authentication fail. There is no support for these tools to prompt you automatically when the ticket expired.
    • Install the krb5-workstation package (sudo dnf install krb5-workstation) if you do not have kinit command available.
    • You can set default_realm = FEDORAPROJECT.ORG in /etc/krb5.conf to avoid each typing @FEDORAPROJECT.ORG.
  • Enter your FAS password
  • You should now be able to authenticate to supported services (koji and lookaside upload)
  • Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG

GUI (gnome/workstation)

  • Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
  • Enter your FAS name @FEDORAPROJECT.ORG for the principal, e.g. fas@FEDORAPROJECT.ORG.
  • Enter your password when prompted.

Firefox

If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:

  • Go to about:config
  • Click the "I accept the risk" button
  • Search for "network.negotiate-auth.trusted-uris"
  • Double-click this option if it's not set to "https://", and set it to "https://"

Chromium/Chrome

For Chrome/Chromium, you need to create a policy file.

  • For Chromium, the directory to put this in is /etc/chromium/policies/managed/ .
  • For Chrome, the directory is /etc/opt/chrome/policies/managed/ (you might have to create this yourself).

In that, create a file (e.g. fedora_kerberos.json), with contents:

{
	"AuthServerWhitelist": "*.fedoraproject.org",
	"AuthNegotiateDelegateWhitelist": "*.fedoraproject.org"
}


For Mac Chrome/Chromium, you need to enter command


	sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist '.fedoraproject.org'
	sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist '.fedoraproject.org'

Questions and Answers

Question: Is there any particular format for username / domain I need to use?

Answer: Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, username@FEDORAPROJECT.ORG

Question: How can I see how long my ticket(s) are valid for?

Answer: use klist -A

Question: I don't seem to be logged into the koji web interface after this, why not?

Answer: Logging into the koji web interface doesn't really get you much of anything, but you can get a valid ticket and then go to https://koji.fedoraproject.org/koji/login in your browser and you will be logged in.

Question: When I run kinit I get: Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

Answer: Login to FAS and then retry. Your information needs to be synced from FAS to the IPA server. Logging into FAS does so.

Question: I did that (logged into FAS) in the last answer, and it didn't help, I still get the same error message. What's going on?

Answer: For some small number of users there may be some issue with syncing information from fas->ipa. If this happens to you, please file an infrastructure ticket or talk with us on #fedora-admin[?] and we can manually fix things.

Question: It's not working for me, how can I gather debugging information?

Answer: Run the command with KRB5_TRACE=/dev/stdout in front of it and it should print a lot of debugging information.

Question: koji and/or fedpkg don't seem to be working for me.

Answer: Make sure you have upgraded to the versions listed above and also make sure you fold changes from /etc/koji.conf.rpmnew (if you ever modified your /etc/koji.conf) and your ~/.koji/config. Note that in normal operation you can just use the stock /etc/koji.conf from the koji package and there is no need for a ~/.koji/config. If it still doesn't work also check /etc/rpkg/fedpkg.conf.rpmnew and update your old config if it exists.

Question: Where should I report problems or get help?

Answer: #fedora-admin[?] on IRC or file a fedora-infrastructure ticket and we will try and assist you!

Question: "kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials"?

Answer: Try adding "includedir /etc/krb5.conf.d/" as the top line in the /etc/krb5.conf file

Question: "kinit: KDC can't fulfill requested option while renewing credentials"?

Answer: When getting the initial ticket, use kinit -r <secs> to get a renewable ticket. Or add "renew_lifetime = <lifetime>", where <lifetime> is for example 7d, to the [libdefaults] section of /etc/krb5.conf.

Question: After entering my password I get: Password incorrect while getting initial credentials

Answer: Please make sure you enter your correct password. If you are sure you entered the correct password, but it doesn't work, please visit the Fedora Account System and log in and change your password. NOTE: Resetting your password does *NOT* update the Kerberos password. If you forgot your password, first use the password reset feature and then log in again to FAS and use the change password link.

Question: Using Koji, I get an error "ImportError: Please install python-krbV to use kerberos"

Answer: Please make sure that in /etc/krb5.conf, under [libdefaults], the option "rdns = false" is set. Note that this might break some non-Fedora krb5 services, but this is required to make GSSAPI work against Fedora services.

Debugging problems

There is a script that can check your configuration and tell you if there is any common problem. Just clone the repository and run the script.

$ git clone https://github.com/puiterwijk/KrbDebug.git
$ cd KrbDebug/
$ ./KrbDebug

Extra info for Infrastructure people

To access nagios, you need to use Kerberos as well. This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false" and "dns_canonicalize_hostname = false".