From 42da45351caed7f7ce7bd5dac4fa564b25c57448 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Mon, 4 Dec 2017 14:41:01 +0000
Subject: [PATCH] Fix koji service accounts with gssapi

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/base/templates/krb5.conf.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/roles/base/templates/krb5.conf.j2 b/roles/base/templates/krb5.conf.j2
index c07504b455..2b3fc2ea81 100644
--- a/roles/base/templates/krb5.conf.j2
+++ b/roles/base/templates/krb5.conf.j2
@@ -19,6 +19,11 @@
   kdc = ipa01{{ env_suffix }}.phx2.fedoraproject.org
 {% else %}
   kdc = https://id{{ env_suffix }}.fedoraproject.org/KdcProxy
+{% endif %}
+{% if ansible_hostname.startswith('koji') %}
+  # This maps "A/B@FP.O" to "A/B@FP.O", and is used for gss localname in koji gssapi
+  auth_to_local = RULE:[2:$1/$2@$0](.*)
+  auth_to_local = DEFAULT
 {% endif %}
  }