centos-infra

#305 RFE: Support GSSAPI login to id.centos.org with FEDORAPROJECT.ORG TGT
Closed: Fixed by arrfab. Opened by sgallagh.

Closed: Fixed
Reopen Issue

Though the CentOS Project and Fedora Project both share the latter's username and password (+ optional 2FA) setup and id.centos.org is using a GSSAPI-aware OpenID provider (Ipsilon), currently it does not support using GSSAPI to authorize a user with a valid FEDORAPROJECT.ORG ticket-granting ticket for login. Instead, the user must reenter their username, password and OTP.

It would be very convenient if the Kerberos/GSSAPI trust were setup to allow the Fedora TGT to be used for this purpose.

Metadata Update from @arrfab:
- Issue tagged with: authentication, feature-request, high-gain, medium-trouble

ack
This was discussed during the STG tests and let me copy/paste irc logs from discussion with IPA folks: 

(15:08:55) Crys: Does id.centos.org support authentication with a FEDORAPROJECT.ORG GSSAPI token?
(15:10:15) Crys: ah, id.fedoraproject.org doesn't do KRB5 either.
(15:14:27) ab: Crys: I can authenticate with fedora ticket to ipsilon
(15:14:55) Crys: Did you set up FF?
(15:15:10) ab: defaults as we enable GSSAPI on https://
(15:15:10) Crys: like network.negotiate-auth.trusted-uris
(15:16:49) ab: it should already be set to https:// in fedora
(15:18:38) ab: if I'd do 'curl --negotiate -u: https://id.fedoraproject.org/login', I'll get back a response with location: http://id.fedoraproject.org/login/gssapi/negotiate?ipsilon_transaction_id=<some id>
(15:19:50) Crys: It doesn't work for id.centos.org
(15:23:19) Crys: It should be trivial to allow GSSAPI for the IdP.
(15:24:02) ab: the realm would still be FEDORAPROJECT.ORG
(15:24:11) ab: we don't have support for realm aliases yet
(15:24:31) Crys: [domain_realm]
(15:24:31) Crys:  .fedoraproject.org = FEDORAPROJECT.ORG
(15:24:31) Crys:  fedoraproject.org = FEDORAPROJECT.ORG
(15:24:31) Crys:  .centos.org = FEDORAPROJECT.ORG
(15:24:31) Crys:  centos.org = FEDORAPROJECT.ORG
(15:24:37) Crys: that should be good enough :)

Haven't tried, but probably also something else is needed for the HTTP/ that ipsilon itself is presenting. To be investigated and let's ask for advices here directly.

I suggest that you start with:

  • In IPA web UI go to "IPA Server" -> "Realm Domains" and add "centos.org" as a realm domain
  • Add the DNS text record _kerberos.centos.org 300 IN TXT "FEDORAPROJECT.ORG" to centos.org DNS entry.

Just quickly revisiting this as it now seems to work , thanks to advices given by @abbra and @cheimes

  • dns record was already added
  • service principal alias for HTTP/id.centos.org added to the real principal (enrolled in ipa)
  • browser config is just needed

But after that it's now working

@sgallagh : can you give it a try ? @abbra and myself gave it a try and were able to use gssapi auth with valid kerberos ticket against id.centos.org and git.centos.org

confirmed through irc that it works now

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

Metadata Update from @arrfab:
- Issue assigned to arrfab

Log in to comment on this ticket.

Metadata

authentication feature-request high-gain medium-trouble

None
None
High
Powered by Pagure 1.0.0
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.