[Freeipa-users] interesting Kerberos issue

[Janelle]

On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
> On Sun, 10 May 2015, Janelle wrote:
>> On 5/5/15 6:47 AM, Dmitri Pal wrote:
>>> On 05/04/2015 09:38 PM, Janelle wrote:
>>>> On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>>>>> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>>>>> Happy Star Wars Day!
>>>>>> May the Fourth be with you!
>>>>>>
>>>>>> So I have a strange Kerberos problem trying to figure out. On a
>>>>>> CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>>>>>> ticket as
>>>>>> expected.  However, if I login to a 6.6 client, it doesn't seem to
>>>>>> work.
>>>>>> Both were enrolled the same, obviously one is newer.
>>>>>>
>>>>>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>>>>> as
>>>>>> root, bypassing kerberos, and then do "kinit admin" it works just
>>>>>> fine.
>>>>>> But if I do "kinit usera" I get:
>>>>>>
>>>>>> kinit: Generic preauthentication failure while getting initial
>>>>>> credentials
>>>>>>
>>>>>> Which makes no sense. The account works with a 7.1 client but not a
>>>>>> 6.x
>>>>>> client?? And yet "admin" works, no matter what. What am I missing
>>>>>> here?
>>>>> If I had to guess, usera is enabled for OTP-only login. Is that
>>>>> correct?
>>>>>
>>>>> If so, clients require RHEL 7.1 for OTP support. Also, the error you
>>>>> are getting is the result of not enabling FAST support for OTP
>>>>> authentication (see the -T option).
>>>>>
>>>>> Nathaniel
>>>> Ok, this did give me an idea (Thanks Nathaniel)  -- the account was 
>>>> set for BOTH "password" and OTP.
>>>> Apparently setting both does nothing. Yes a user can login with 
>>>> their password-only, but trying to use kinit does not work.
>>>>
>>>> I am not sure I understand where the FAST support or the -T option 
>>>> is to be applied. On kinit? That does not seem correct. Perhaps I 
>>>> am misunderstanding this option?
>>>>
>>>> ~J
>>>>
>>> If the user is enabled for OTP his credential are sent differently 
>>> than in the case when it is not enabled. Effectively instead of 
>>> using encrypted timestamp the password and OTP are sent to the 
>>> server as data. But they can't be sent in clear. You need to encrypt 
>>> the data. To encrypt it you need another key - the host key. The 
>>> encryption of the data in this context is called tunneling . FAST is 
>>> the Kerberos protocol feature to provide tunneling of the data sent 
>>> over the wire. To use FAST one needs to use -T on the kinit command 
>>> line.
>>> Does this help?
>>>
>> It helps -- thank you.
>>
>> Now allow me to add a little more fun, and there may not be a solution.
>>> From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server
>> principal" and it works, gives me a ticket, and if I attempt to login 
>> to the web interface, since I already have my ticket - boom, works fine.
>>
>> Now, I enable 2FA and setup a token and change my account to OTP 
>> (with TOTP).  But as previously discussed, can't seem to specify a -T 
>> option from OS X.
>>
>> I know this sounds tricky -- Any ideas?
> Use
>  kinit --fast-armor-cache /path/to/ccache to specify already existing 
> ccache to armor the FAST processing.
>
> This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
> You can check version number by running 'kinit --version'.
Aha, so thee default on OS X Yosemite is

$ kinit --version
kinit (Heimdal 1.5.1apple1)

so this won't work?

~J

PS - sorry for the questions, still trying to wrap my head around how to 
get OTP working from a term session so you can get your ticket and then 
login to all the hosts you need without reauthenticating.