From Fedora Project Wiki

< Infrastructure

Revision as of 00:09, 12 December 2016 by Kevin (talk | contribs) (edits)

Infrastructure kerberos authentication


Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication.

Supported Services

  • koji
  • All Fedora Infrastructure ipsilon using applications via GSSAPI

Technical Details

Fedora Infrastructure still uses the Fedora Account System (fas), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors. Also, via the ipsilon identity management server and GSSAPI we are able to use kerberos tickets to authenticate users to any services that use ipsilon.

How to use kerberos auth with Fedora Infrastructure

Command line

  • kinit <yourfasloginname>@FEDORAPROJECT.ORG
  • enter your FAS password
  • You should now be able to authenticate to supported services
  • Tickets are valid for 24 hours and can be renewed for 1 week. You can renew a existing ticket with kinit -R <yourfasloginname>@FEDORAPROJECT.ORG

GUI (gnome/workstation)

  • Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
  • Enter FEDORAPROJECT.ORG for the domain
  • Enter your FAS name in the name field.
  • Enter your password when prompted.


If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:

  • Go to about:config
  • Click the "I accept the risk" button
  • Search for "network.negotiate-auth.trusted-uris"
  • Double-click this option if it's not set to "https://", and set it to "https://"


For Chrome/Chromium, you need to create a policy file.

  • For Chromium, the directory to put this in is /etc/chromium/policies/managed/ .
  • For Chrome, the directory is /etc/opt/chrome/policies/managed/ (you might have to create this yourself).

In that, create a file (e.g. fedora_kerberos.json), with contents:

	"AuthServerWhitelist": "*"

Questions and Answers

Question: I have 2 (or more) domains I login to with kerberos and koji only seems to work when it's the last one I add, whats going on? (The error it will show is "Kerberos authentication failed: Server not found in Kerberos database (-1765328377)")

Answer: koji currently requires this, but there's a patch coming to fix it. In the mean time you can use 'kswitch' to switch which is primary.

Question: How can I see how long my ticket(s) are valid for?

Answer: use 'klist -A'

Question: I don't seem to be logged into the koji web interface after this, why not?

Answer: Logging into the koji web interface doesn't really get you much of anything, but we are working on a patch to get this working down the road.

Question: When I run kinit I get: Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

Answer: Login to fas ( ) and then retry. Your information needs to be synced from fas to the ipa server. Logging into fas does so.

Question: It's not working for me, how can I gather debugging information?

Answer: Run the command with KRB5_TRACE=/dev/stdout in front of it and it should print a lot of debugging information.

Question: Where should I report problems or get help? #fedora-admin on IRC or file a fedora-infrastructure ticket and we will try and assist you!

Extra info for Infrastructure people

To access nagios, you need to use Kerberos as well. This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false".