[Freeipa-users] interesting Kerberos issue

Mon May 11 00:44:42 UTC 2015

On 5/5/15 6:47 AM, Dmitri Pal wrote:
> On 05/04/2015 09:38 PM, Janelle wrote:
>> On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>>> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>>> Happy Star Wars Day!
>>>> May the Fourth be with you!
>>>>
>>>> So I have a strange Kerberos problem trying to figure out. On a
>>>> CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>>>> ticket as
>>>> expected.  However, if I login to a 6.6 client, it doesn't seem to
>>>> work.
>>>> Both were enrolled the same, obviously one is newer.
>>>>
>>>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>>> as
>>>> root, bypassing kerberos, and then do "kinit admin" it works just
>>>> fine.
>>>> But if I do "kinit usera" I get:
>>>>
>>>> kinit: Generic preauthentication failure while getting initial
>>>> credentials
>>>>
>>>> Which makes no sense. The account works with a 7.1 client but not a
>>>> 6.x
>>>> client?? And yet "admin" works, no matter what. What am I missing
>>>> here?
>>> If I had to guess, usera is enabled for OTP-only login. Is that
>>> correct?
>>>
>>> If so, clients require RHEL 7.1 for OTP support. Also, the error you
>>> are getting is the result of not enabling FAST support for OTP
>>> authentication (see the -T option).
>>>
>>> Nathaniel
>> Ok, this did give me an idea (Thanks Nathaniel)  -- the account was 
>> set for BOTH "password" and OTP.
>> Apparently setting both does nothing. Yes a user can login with their 
>> password-only, but trying to use kinit does not work.
>>
>> I am not sure I understand where the FAST support or the -T option is 
>> to be applied. On kinit? That does not seem correct. Perhaps I am 
>> misunderstanding this option?
>>
>> ~J
>>
> If the user is enabled for OTP his credential are sent differently 
> than in the case when it is not enabled. Effectively instead of using 
> encrypted timestamp the password and OTP are sent to the server as 
> data. But they can't be sent in clear. You need to encrypt the data. 
> To encrypt it you need another key - the host key. The encryption of 
> the data in this context is called tunneling . FAST is the Kerberos 
> protocol feature to provide tunneling of the data sent over the wire. 
> To use FAST one needs to use -T on the kinit command line.
> Does this help?
>
It helps -- thank you.

Now allow me to add a little more fun, and there may not be a solution.  
>From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server 
principal" and it works, gives me a ticket, and if I attempt to login to 
the web interface, since I already have my ticket - boom, works fine.

Now, I enable 2FA and setup a token and change my account to OTP (with 
TOTP).  But as previously discussed, can't seem to specify a -T option 
from OS X.

I know this sounds tricky -- Any ideas?

Thank you
Janelle