Bug 1812702

Summary: "krb_rdns = false" in /etc/koji.conf.d/*.conf has no effect and is confusing
Product: [Fedora] Fedora Reporter: Ken Dreyer (Red Hat) <kdreyer>
Component: fedora-packagerAssignee: Mohan Boddu <mboddu>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 34CC: kellin, ktdreyer, mboddu, rhbugs
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-12 17:58:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ken Dreyer (Red Hat) 2020-03-11 22:06:21 UTC 
Description of problem:
/etc/koji.conf.d/fedora.conf has a "krb_rdns = false" setting. This only applies to the old-style Kerberos authentication. It has no effect for Fedora Koji users, because that uses the newer-style GSSAPI authentication.

We should remove this option for two reasons:

1) This setting is confusing to new users (https://pagure.io/koji/issue/2063)
2) Koji upstream will remove the old-style Kerberos authentication eventually (https://pagure.io/koji/issue/1991).


Version-Release number of selected component (if applicable):
fedora-packager-0.6.0.2-5.fc30.noarch

How reproducible:
always

Steps to Reproduce:
Starting from a completely new Fedora 31 environment:
1. "yum -y install fedora-packager"
2. Edit /etc/krb5.conf to remove the hard-coded "rdns = false" setting from krb5-libs-1.17-15.fc30. This will cause the Kerberos client to choose the default rdns setting ("true").
3. kinit ktdreyer
4. koji hello

Actual results:
"koji hello" fails with "[ERROR] koji: AuthError: unable to obtain a session"

"klist" shows that requests tried to use the service tickets for the proxies:

$ klist
Ticket cache: FILE:/tmp/ccache
Default principal: ktdreyer

Valid starting     Expires            Service principal
03/11/20 21:44:09  03/12/20 21:43:52  krbtgt/FEDORAPROJECT.ORG
	renew until 03/18/20 21:43:52
03/11/20 21:44:19  03/12/20 21:43:52  HTTP/proxy10.fedoraproject.org
	renew until 03/18/20 21:43:52
03/11/20 21:48:45  03/12/20 21:43:52  HTTP/proxy01.fedoraproject.org
	renew until 03/18/20 21:43:52


This happens whether "krb_rdns" is "false" or "true" in /etc/koji.conf.d/fedora.conf.


Expected results:
/etc/krb5.conf's "rdns" setting is the only one that affects GSSAPI auth, and there is no hint to users to look at krb_rdns in /etc/koji.conf.d/fedora.conf
Comment 1 Ken Dreyer 2020-03-13 22:39:10 UTC 
Please remove krb_rdns from the other koji configs in fedora-packager as well:
/etc/koji.conf.d/stg.conf 
/etc/koji.conf.d/s390.conf
Comment 2 Ben Cotton 2020-08-11 13:13:37 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.
Comment 3 Ken Dreyer (Red Hat) 2020-08-18 17:02:34 UTC 
"krb_rdns" is still present in these files: https://pagure.io/fedora-packager/blob/master/f/configs
Comment 4 Ken Dreyer (Red Hat) 2020-10-28 19:49:19 UTC 
Would you please merge the change at https://pagure.io/fedora-packager/pull-request/164?
Comment 5 Ken Dreyer (Red Hat) 2021-01-20 21:50:05 UTC 
Next step is to tag a new release https://pagure.io/fedora-packager/releases
Comment 6 Ben Cotton 2021-02-09 15:14:30 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.
Comment 7 Ben Cotton 2022-05-12 16:07:30 UTC 
This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 8 Ken Dreyer 2022-05-12 17:58:15 UTC 
/etc/koji.conf.d/fedora.conf from fedora-packager-0.6.0.6-3.fc35.noarch (Rawhide) looks good now.