From Fedora Project Wiki

Infrastructure kerberos authentication

Background

Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication.

Supported Services

  • koji

Future Services

There are plans to enable other Fedora Infrastructure services. Please stay tuned to the announce and devel-announce lists.

Technical Details

Fedora Infrastructure still uses the Fedora Account System (fas), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors.

How to use kerberos auth with Fedora Infrastructure

Command line

  • kinit <yourfasloginname>@FEDORAPROJECT.ORG
  • enter your FAS password
  • You should now be able to authenticate to supported services
  • Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG

GUI (gnome/workstation)

  • Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
  • Enter FEDORAPROJECT.ORG for the domain
  • Enter your FAS name in the name field.
  • Enter your password when prompted.

Firefox

If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:

  • Go to about:config
  • Click the "I accept the risk" button
  • Search for "network.negotiate-auth.trusted-uris"
  • Double-click this option if it's not set to "https://", and set it to "https://"

Chromium/Chrome

For Chrome/Chromium, you need to create a policy file.

  • For Chromium, the directory to put this in is /etc/chromium/policies/managed/ .
  • For Chrome, the directory is /etc/opt/chrome/policies/managed/ (you might have to create this yourself).

In that, create a file (e.g. fedora_kerberos.json), with contents:

{
	"AuthServerWhitelist": "*.fedoraproject.org"
}

At this moment, there are no services announced yet that make use of the browser other than some internal infrastructure services. Stay tuned to announce and devel-announce lists.

Questions and Answers

Question: I have 2 (or more) domains I login to with kerberos and koji only seems to work when it's the last one I add, whats going on? (The error it will show is "Kerberos authentication failed: Server not found in Kerberos database (-1765328377)")

Answer: koji currently requires this, but there's a patch coming to fix it. In the mean time you can use 'kswitch' to switch which is primary.

Question: How can I see how long my ticket(s) are valid for?

Answer: use 'klist -A'

Question: I don't seem to be logged into the koji web interface after this, why not?

Answer: Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road.