[Freeipa-users] interesting Kerberos issue

Dmitri Pal dpal at redhat.com
Tue May 5 13:47:18 UTC 2015 

On 05/04/2015 09:38 PM, Janelle wrote:
> On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>> Happy Star Wars Day!
>>> May the Fourth be with you!
>>>
>>> So I have a strange Kerberos problem trying to figure out.  On a
>>> CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>>> ticket as
>>> expected.  However, if I login to a 6.6 client, it doesn't seem to
>>> work.
>>> Both were enrolled the same, obviously one is newer.
>>>
>>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>> as
>>> root, bypassing kerberos, and then do "kinit admin" it works just
>>> fine.
>>> But if I do "kinit usera" I get:
>>>
>>> kinit: Generic preauthentication failure while getting initial
>>> credentials
>>>
>>> Which makes no sense. The account works with a 7.1 client but not a
>>> 6.x
>>> client?? And yet "admin" works, no matter what. What am I missing
>>> here?
>> If I had to guess, usera is enabled for OTP-only login. Is that
>> correct?
>>
>> If so, clients require RHEL 7.1 for OTP support. Also, the error you
>> are getting is the result of not enabling FAST support for OTP
>> authentication (see the -T option).
>>
>> Nathaniel
> Ok, this did give me an idea (Thanks Nathaniel)  -- the account was 
> set for BOTH "password" and OTP.
> Apparently setting both does nothing. Yes a user can login with their 
> password-only, but trying to use kinit does not work.
>
> I am not sure I understand where the FAST support or the -T option is 
> to be applied. On kinit? That does not seem correct. Perhaps I am 
> misunderstanding this option?
>
> ~J
>
If the user is enabled for OTP his credential are sent differently than 
in the case when it is not enabled. Effectively instead of using 
encrypted timestamp the password and OTP are sent to the server as data. 
But they can't be sent in clear. You need to encrypt the data. To 
encrypt it you need another key - the host key. The encryption of the 
data in this context is called tunneling . FAST is the Kerberos protocol 
feature to provide tunneling of the data sent over the wire. To use FAST 
one needs to use -T on the kinit command line.
Does this help?

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list