- enable use of a Kerberos service name other than host/ on the hub

- get the Kerberos realm from the client principal, rather than assuming the last two components of the domain name

builder/kojid

@@ -2776,6 +2776,7 @@ def get_options():
                 'host_principal_format': 'compile/%s@EXAMPLE.COM',
                 'keytab': '/etc/kojid/kojid.keytab',
                 'ccache': '/var/tmp/kojid.ccache',
+                'krbservice': 'host',
                 'server': None,
                 'user': None,
                 'password': None,
@@ -2851,7 +2852,7 @@ if __name__ == "__main__":
 
     #build session options
     session_opts = {}
-    for k in ('user','password','debug_xmlrpc', 'debug',
+    for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug',
               'retry_interval', 'max_retries', 'offline_retry', 'offline_retry_interval'):
         v = getattr(options, k, None)
         if v is not None:

builder/kojid.conf

@@ -51,6 +51,18 @@ smtphost=example.com
 ; The From address used when sending email notifications
 from_addr=Koji Build System <buildsys@example.com>
 
+;configuration for Kerberos authentication
+
+;the format of the principal used by the build hosts
+;%s will be replaced by the FQDN of the host
+;host_principal_format = compile/%s@EXAMPLE.COM
+
+;location of the keytab
+;keytab = /etc/kojid/kojid.keytab
+
+;the service name of the principal being used by the hub
+;krbservice = host
+
 ;configuration for SSL authentication
 
 ;client certificate

cli/koji

@@ -159,6 +159,7 @@ def get_options():
         'offline_retry' : None,
         'offline_retry_interval' : None,
         'poll_interval': 5,
+        'krbservice': 'host',
         'cert': '~/.koji/client.crt',
         'ca': '~/.koji/clientca.crt',
         'serverca': '~/.koji/serverca.crt', 
@@ -5620,7 +5621,7 @@ if __name__ == "__main__":
     options, command, args = get_options()
 
     session_opts = {}
-    for k in ('user', 'password', 'debug_xmlrpc', 'debug', 'max_retries',
+    for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug', 'max_retries',
                 'retry_interval', 'offline_retry', 'offline_retry_interval',
                 'anon_retry'):
         value = getattr(options,k)

cli/koji.conf

@@ -14,6 +14,11 @@
 ;path to the koji top directory
 ;topdir = /mnt/koji
 
+;configuration for Kerberos authentication
+
+;the service name of the principal being used by the hub
+;krbservice = host
+
 ;configuration for SSL authentication
 
 ;client certificate

koji/__init__.py

@@ -1600,7 +1600,7 @@ class ClientSession(object):
             # We're trying to log ourself in.  Connect using existing credentials.
             cprinc = ccache.principal()
 
-        sprinc = krbV.Principal(name=self._serverPrincipal(), context=ctx)
+        sprinc = krbV.Principal(name=self._serverPrincipal(cprinc), context=ctx)
 
         ac = krbV.AuthContext(context=ctx)
         ac.flags = krbV.KRB5_AUTH_CONTEXT_DO_SEQUENCE|krbV.KRB5_AUTH_CONTEXT_DO_TIME
@@ -1637,22 +1637,17 @@ class ClientSession(object):
 
         return True
 
-    def _serverPrincipal(self):
+    def _serverPrincipal(self, cprinc):
         """Get the Kerberos principal of the server we're connecting
-        to, based on baseurl.  Assume the last two components of the
-        server name are the Kerberos realm."""
+        to, based on baseurl."""
         servername = urlparse.urlparse(self.baseurl)[1]
         portspec = servername.find(':')
         if portspec != -1:
             servername = servername[:portspec]
+        realm = cprinc.realm
+        service = self.opts.get('krbservice', 'host')
 
-        parts = servername.split('.')
-        if len(parts) < 2:
-            domain = servername.upper()
-        else:
-            domain = '.'.join(parts[-2:]).upper()
-
-        return 'host/%s@%s' % (servername, domain)
+        return '%s/%s@%s' % (service, servername, realm)
 
     def ssl_login(self, cert, ca, serverca, proxyuser=None):
         if not self.baseurl.startswith('https:'):

util/koji-shadow

@@ -77,6 +77,7 @@ def get_options():
                       help=_("use alternate configuration file"))
     parser.add_option("--keytab", help=_("specify a Kerberos keytab to use"))
     parser.add_option("--principal", help=_("specify a Kerberos principal to use"))
+    parser.add_option("--krbservice", help=_("the service name of the principal being used by the hub"))
     parser.add_option("--runas", metavar="USER",
                       help=_("run as the specified user (requires special privileges)"))
     parser.add_option("--user", help=_("specify user"))
@@ -1256,7 +1257,7 @@ if __name__ == "__main__":
     options, args = get_options()
 
     session_opts = {}
-    for k in ('user', 'password', 'debug_xmlrpc', 'debug'):
+    for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug'):
         session_opts[k] = getattr(options,k)
     session = koji.ClientSession(options.server, session_opts)
     if not options.noauth:

util/koji-shadow.conf

@@ -3,5 +3,5 @@
 
 [main]
 server=http://localhost/kojihub/
+krbservice=host
 remote=http://koji.fedoraproject.org/kojihub
-

util/kojira

@@ -507,6 +507,7 @@ def get_options():
                 'principal': None,
                 'keytab': None,
                 'ccache': '/var/tmp/kojira.ccache',
+                'krbservice': 'host',
                 'retry_interval': 60,
                 'max_retries': 120,
                 'offline_retry': True,
@@ -523,7 +524,7 @@ def get_options():
     if config.has_section(section):
         int_opts = ('prune_batch_size', 'deleted_repo_lifetime', 'max_repo_tasks',
                     'delete_batch_size', 'retry_interval', 'max_retries', 'offline_retry_interval')
-        str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab',
+        str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab', 'krbservice',
                     'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags')
         bool_opts = ('with_src','verbose','debug','ignore_stray_repos', 'offline_retry')
         for name in config.options(section):
@@ -580,7 +581,7 @@ if  __name__ == "__main__":
     else:
         logger.setLevel(logging.WARNING)
     session_opts = {}
-    for k in ('user', 'password', 'debug_xmlrpc', 'debug',
+    for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug',
               'retry_interval', 'max_retries', 'offline_retry', 'offline_retry_interval'):
         session_opts[k] = getattr(options,k)
     session = koji.ClientSession(options.server,session_opts)

util/kojira.conf

@@ -21,6 +21,17 @@ logfile=/var/log/kojira.log
 ; Include srpms in repos? (not needed for normal operation)
 with_src=no
 
+;configuration for Kerberos authentication
+
+;the kerberos principal to use
+;principal = kojira@EXAMPLE.COM
+
+;location of the keytab
+;keytab = /etc/kojira/kojira.keytab
+
+;the service name of the principal being used by the hub
+;krbservice = host
+
 ;configuration for SSL authentication
 
 ;client certificate

vm/kojivmd

@@ -121,6 +121,7 @@ def get_options():
                 'host_principal_format': 'compile/%s@EXAMPLE.COM',
                 'keytab': '/etc/kojivmd/kojivmd.keytab',
                 'ccache': '/var/tmp/kojivmd.ccache',
+                'krbservice': 'host',
                 'server': None,
                 'user': None,
                 'password': None,
@@ -1001,7 +1002,7 @@ if __name__ == "__main__":
 
     #build session options
     session_opts = {}
-    for k in ('user','password','debug_xmlrpc', 'debug',
+    for k in ('user', 'password', 'krbservice', 'debug_xmlrpc', 'debug',
               'retry_interval', 'max_retries', 'offline_retry', 'offline_retry_interval'):
         v = getattr(options, k, None)
         if v is not None:

vm/kojivmd.conf

@@ -33,6 +33,18 @@ smtphost=example.com
 ; The From address used when sending email notifications
 from_addr=Koji Build System <buildsys@example.com>
 
+;configuration for Kerberos authentication
+
+;the format of the principal used by the build hosts
+;%s will be replaced by the FQDN of the host
+;host_principal_format = compile/%s@EXAMPLE.COM
+
+;location of the keytab
+;keytab = /etc/kojivmd/kojivmd.keytab
+
+;the service name of the principal being used by the hub
+;krbservice = host
+
 ;configuration for SSL authentication
 
 ;client certificate

www/conf/kojiweb.conf

@@ -17,6 +17,7 @@ Alias /koji "/usr/share/koji-web/scripts/"
     PythonOption WebPrincipal koji/web@EXAMPLE.COM
     PythonOption WebKeytab /etc/httpd.keytab
     PythonOption WebCCache /var/tmp/kojiweb.ccache
+    PythonOption KrbService host
     PythonOption WebCert /etc/kojiweb/kojiweb.crt
     PythonOption ClientCA /etc/kojiweb/clientca.crt
     PythonOption KojiHubCA /etc/kojiweb/kojihubca.crt

www/kojiweb/index.py

@@ -103,9 +103,10 @@ def _assertLogin(req):
         assert False
 
 def _getServer(req):
-    serverURL = req.get_options().get('KojiHubURL', 'http://localhost/kojihub')
-    session = koji.ClientSession(serverURL)
-    
+    opts = req.get_options()
+    session = koji.ClientSession(opts.get('KojiHubURL', 'http://localhost/kojihub'),
+                                 opts={'krbservice': opts.get('KrbService', 'host')})
+
     req.currentLogin = _getUserCookie(req)
     if req.currentLogin:
         req.currentUser = session.getUser(req.currentLogin)
@@ -114,7 +115,7 @@ def _getServer(req):
         _setUserCookie(req, req.currentLogin)
     else:
         req.currentUser = None
-    
+
     req._session = session
     return session