Bug 1812702 - "krb_rdns = false" in /etc/koji.conf.d/*.conf has no effect and is confusing
Summary: "krb_rdns = false" in /etc/koji.conf.d/*.conf has no effect and is confusing
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-packager
Version: 34
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Mohan Boddu
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-11 22:06 UTC by Ken Dreyer (Red Hat)
Modified: 2021-02-09 15:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Fedora Pagure fedora-packager pull-request 164 0 None None None 2020-10-28 19:48:57 UTC

Description Ken Dreyer (Red Hat) 2020-03-11 22:06:21 UTC
Description of problem:
/etc/koji.conf.d/fedora.conf has a "krb_rdns = false" setting. This only applies to the old-style Kerberos authentication. It has no effect for Fedora Koji users, because that uses the newer-style GSSAPI authentication.

We should remove this option for two reasons:

1) This setting is confusing to new users (https://pagure.io/koji/issue/2063)
2) Koji upstream will remove the old-style Kerberos authentication eventually (https://pagure.io/koji/issue/1991).

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Starting from a completely new Fedora 31 environment:
1. "yum -y install fedora-packager"
2. Edit /etc/krb5.conf to remove the hard-coded "rdns = false" setting from krb5-libs-1.17-15.fc30. This will cause the Kerberos client to choose the default rdns setting ("true").
3. kinit ktdreyer@FEDORAPROJECT.ORG
4. koji hello

Actual results:
"koji hello" fails with "[ERROR] koji: AuthError: unable to obtain a session"

"klist" shows that requests tried to use the service tickets for the proxies:

$ klist
Ticket cache: FILE:/tmp/ccache
Default principal: ktdreyer@FEDORAPROJECT.ORG

Valid starting     Expires            Service principal
03/11/20 21:44:09  03/12/20 21:43:52  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
	renew until 03/18/20 21:43:52
03/11/20 21:44:19  03/12/20 21:43:52  HTTP/proxy10.fedoraproject.org@FEDORAPROJECT.ORG
	renew until 03/18/20 21:43:52
03/11/20 21:48:45  03/12/20 21:43:52  HTTP/proxy01.fedoraproject.org@FEDORAPROJECT.ORG
	renew until 03/18/20 21:43:52

This happens whether "krb_rdns" is "false" or "true" in /etc/koji.conf.d/fedora.conf.

Expected results:
/etc/krb5.conf's "rdns" setting is the only one that affects GSSAPI auth, and there is no hint to users to look at krb_rdns in /etc/koji.conf.d/fedora.conf

Comment 1 Ken Dreyer 2020-03-13 22:39:10 UTC
Please remove krb_rdns from the other koji configs in fedora-packager as well:

Comment 2 Ben Cotton 2020-08-11 13:13:37 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.

Comment 3 Ken Dreyer (Red Hat) 2020-08-18 17:02:34 UTC
"krb_rdns" is still present in these files: https://pagure.io/fedora-packager/blob/master/f/configs

Comment 4 Ken Dreyer (Red Hat) 2020-10-28 19:49:19 UTC
Would you please merge the change at https://pagure.io/fedora-packager/pull-request/164?

Comment 5 Ken Dreyer (Red Hat) 2021-01-20 21:50:05 UTC
Next step is to tag a new release https://pagure.io/fedora-packager/releases

Comment 6 Ben Cotton 2021-02-09 15:14:30 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle.
Changing version to 34.

Note You need to log in before you can comment on or make changes to this bug.