[Freeipa-users] interesting Kerberos issue

Alexander Bokovoy abokovoy at redhat.com
Mon May 11 06:57:59 UTC 2015 

On Sun, 10 May 2015, Janelle wrote:
>On 5/5/15 6:47 AM, Dmitri Pal wrote:
>>On 05/04/2015 09:38 PM, Janelle wrote:
>>>On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>>>>On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>>>>Happy Star Wars Day!
>>>>>May the Fourth be with you!
>>>>>
>>>>>So I have a strange Kerberos problem trying to figure out. On a
>>>>>CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>>>>>ticket as
>>>>>expected.  However, if I login to a 6.6 client, it doesn't seem to
>>>>>work.
>>>>>Both were enrolled the same, obviously one is newer.
>>>>>
>>>>>Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>>>>as
>>>>>root, bypassing kerberos, and then do "kinit admin" it works just
>>>>>fine.
>>>>>But if I do "kinit usera" I get:
>>>>>
>>>>>kinit: Generic preauthentication failure while getting initial
>>>>>credentials
>>>>>
>>>>>Which makes no sense. The account works with a 7.1 client but not a
>>>>>6.x
>>>>>client?? And yet "admin" works, no matter what. What am I missing
>>>>>here?
>>>>If I had to guess, usera is enabled for OTP-only login. Is that
>>>>correct?
>>>>
>>>>If so, clients require RHEL 7.1 for OTP support. Also, the error you
>>>>are getting is the result of not enabling FAST support for OTP
>>>>authentication (see the -T option).
>>>>
>>>>Nathaniel
>>>Ok, this did give me an idea (Thanks Nathaniel)  -- the account 
>>>was set for BOTH "password" and OTP.
>>>Apparently setting both does nothing. Yes a user can login with 
>>>their password-only, but trying to use kinit does not work.
>>>
>>>I am not sure I understand where the FAST support or the -T option 
>>>is to be applied. On kinit? That does not seem correct. Perhaps I 
>>>am misunderstanding this option?
>>>
>>>~J
>>>
>>If the user is enabled for OTP his credential are sent differently 
>>than in the case when it is not enabled. Effectively instead of 
>>using encrypted timestamp the password and OTP are sent to the 
>>server as data. But they can't be sent in clear. You need to encrypt 
>>the data. To encrypt it you need another key - the host key. The 
>>encryption of the data in this context is called tunneling . FAST is 
>>the Kerberos protocol feature to provide tunneling of the data sent 
>>over the wire. To use FAST one needs to use -T on the kinit command 
>>line.
>>Does this help?
>>
>It helps -- thank you.
>
>Now allow me to add a little more fun, and there may not be a 
>solution.
>>From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server
>principal" and it works, gives me a ticket, and if I attempt to login 
>to the web interface, since I already have my ticket - boom, works 
>fine.
>
>Now, I enable 2FA and setup a token and change my account to OTP (with 
>TOTP).  But as previously discussed, can't seem to specify a -T option 
>from OS X.
>
>I know this sounds tricky -- Any ideas?
Use
  kinit --fast-armor-cache /path/to/ccache 
to specify already existing ccache to armor the FAST processing.

This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
You can check version number by running 'kinit --version'.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list