From Fedora Project Wiki
(Add error message)
(Firefox instructions)
Line 19: Line 19:
== How to use kerberos auth with Fedora Infrastructure ==
== How to use kerberos auth with Fedora Infrastructure ==


Command line:
=== Command line ===


* kinit <yourfasloginname>@FEDORAPROJECT.ORG  
* kinit <yourfasloginname>@FEDORAPROJECT.ORG  
Line 27: Line 27:
* Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG
* Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG


GUI (gnome/workstation):
=== GUI (gnome/workstation) ===


* Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
* Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
Line 33: Line 33:
* Enter your FAS name in the name field.  
* Enter your FAS name in the name field.  
* Enter your password when prompted.  
* Enter your password when prompted.  
=== Firefox ===
If you have Firefox 49 or higher and not tweaked any special configuration, you are done.
If you have a lower version or want to check:
* Go to about:config
* Click the "I accept the risk" button
* Search for "network.negotiate-auth.trusted-uris"
* Double-click this option if it's not set to "https://", and set it to "https://"
At this moment, there are no services announced yet that make use of this other than some
internal infrastructure services. Stay tuned to announce and devel-announce lists.


== Questions and Answers ==
== Questions and Answers ==

Revision as of 21:50, 24 November 2016

Infrastructure kerberos authentication

Background

Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication.

Supported Services

  • koji

Future Services

There are plans to enable other Fedora Infrastructure services. Please stay tuned to the announce and devel-announce lists.

Technical Details

Fedora Infrastructure still uses the Fedora Account System (fas), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors.

How to use kerberos auth with Fedora Infrastructure

Command line

  • kinit <yourfasloginname>@FEDORAPROJECT.ORG
  • enter your FAS password
  • You should now be able to authenticate to supported services
  • Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG

GUI (gnome/workstation)

  • Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
  • Enter FEDORAPROJECT.ORG for the domain
  • Enter your FAS name in the name field.
  • Enter your password when prompted.

Firefox

If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:

  • Go to about:config
  • Click the "I accept the risk" button
  • Search for "network.negotiate-auth.trusted-uris"
  • Double-click this option if it's not set to "https://", and set it to "https://"

At this moment, there are no services announced yet that make use of this other than some internal infrastructure services. Stay tuned to announce and devel-announce lists.

Questions and Answers

Question: I have 2 (or more) domains I login to with kerberos and koji only seems to work when it's the last one I add, whats going on? (The error it will show is "Kerberos authentication failed: Server not found in Kerberos database (-1765328377)")

Answer: koji currently requires this, but there's a patch coming to fix it. In the mean time you can use 'kswitch' to switch which is primary.

Question: How can I see how long my ticket(s) are valid for?

Answer: use 'klist -A'

Question: I don't seem to be logged into the koji web interface after this, why not?

Answer: Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road.