[Freeipa-users] FreeIPA4 OTP vs PAM
Jakub Hrozek
jhrozek at redhat.com
Thu Dec 4 09:34:05 UTC 2014
On Sat, Nov 22, 2014 at 02:05:19PM -0800, Michael Lasevich wrote:
> I got some extra log output: seems that FAST IS being used. I am running
> SSSD 1.11.6, which is supposed to have above mentioned issues fixed:
>
> Log:
> =================
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [find_principal_in_keytab] (0x4000): Trying to find principal host/
> ipaclient.my.domain.com at MY.DOMAIN.COM in keytab.
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [match_principal]
> (0x1000): Principal matched to the sample (host/
> ipaclient.my.domain.com at MY.DOMAIN.COM).
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361296: Retrieving
> host/ipaclient.my.domain.com at MY.DOMAIN.COM -> krbtgt/
> MY.DOMAIN.COM at MY.DOMAIN.COM from FILE:/var/lib/sss/db/
> fast_ccache_MY.DOMAIN.COM with result: 0/Success
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [check_fast_ccache]
> (0x0200): FAST TGT is still valid.
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [main] (0x0400): Will
> perform online auth
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [MY.DOMAIN.COM]
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361440: Getting
> initial credentials for michael at MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361508: FAST armor
> ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361575: Retrieving
> host/ipaclient.my.domain.com at MY.DOMAIN.COM ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM
> \@MY.DOMAIN.COM at X-CACHECONF: from FILE:/var/lib/sss/db/
> fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not
> found
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361648: Sending
> request (188 bytes) to MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361842: Sending
> initial UDP request to dgram 1.1.1.2:88
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365901: Received
> answer from dgram 1.1.1.2:88
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365981: Response was
> from master KDC
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366020: Received
> error from KDC: -1765328359/Additional pre-authentication required
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366051: Upgrading to
> FAST due to presence of PA_FX_FAST in reply
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366075: Restarting to
> upgrade to FAST
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366102: FAST armor
> ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366161: Retrieving
> host/ipaclient.my.domain.com at MY.DOMAIN.COM ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM
> \@MY.DOMAIN.COM at X-CACHECONF: from FILE:/var/lib/sss/db/
> fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not
> found
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366191: Upgrading to
> FAST due to presence of PA_FX_FAST in reply
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366215: FAST armor
> ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366267: Retrieving
> host/ipaclient.my.domain.com at MY.DOMAIN.COM ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM
> \@MY.DOMAIN.COM at X-CACHECONF: from FILE:/var/lib/sss/db/
> fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not
> found
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366322: Getting
> credentials host/ipaclient.my.domain.com at MY.DOMAIN.COM -> krbtgt/
> MY.DOMAIN.COM at MY.DOMAIN.COM using ccache FILE:/var/lib/sss/db/
> fast_ccache_MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366380: Retrieving
> host/ipaclient.my.domain.com at MY.DOMAIN.COM -> krbtgt/
> MY.DOMAIN.COM at MY.DOMAIN.COM from FILE:/var/lib/sss/db/
> fast_ccache_MY.DOMAIN.COM with result: 0/Success
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366425: Armor ccache
> sesion key: aes256-cts/9082
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366476: Creating
> authenticator for host/ipaclient.my.domain.com at MY.DOMAIN.COM -> krbtgt/
> MY.DOMAIN.COM at MY.DOMAIN.COM, seqnum 0, subkey aes256-cts/F5B0, session key
> aes256-cts/9082
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366562: FAST armor
> key: aes256-cts/0D88
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366605: Encoding
> request body and padata into FAST request
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366675: Sending
> request (1089 bytes) to MY.DOMAIN.COM
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366752: Sending
> initial UDP request to dgram 1.1.1.2:88
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370122: Received
> answer from dgram 1.1.1.2:88
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370193: Response was
> from master KDC
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370232: Received
> error from KDC: -1765328359/Additional pre-authentication required
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370262: Decoding FAST
> response
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370333: Processing
> preauth types: 136, 141, 133, 137
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370364: Received
> cookie: MIT
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
> [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370404: Produced
> preauth for next request: 133
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [get_and_save_tgt]
> (0x0020): 981: [-1765328174][Generic preauthentication failure]
> (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [map_krb5_error]
> (0x0020): 1043: [-1765328174][Generic preauthentication failure]
Could you try authenticating with the OTP without SSSD, just using
kinit? You need to create the FAST ccache first:
$ sudo kinit -c FILE:/tmp/armor_ccache -k
$ sudo KRB5_TRACE=/dev/stderr kinit -T /tmp/armor_ccache otptest at IPA.EXAMPLE.COM
More information about the Freeipa-users
mailing list