[Freeipa-users] interesting Kerberos issue
Janelle
janellenicole80 at gmail.com
Mon May 18 13:39:02 UTC 2015
On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
> On Sun, 10 May 2015, Janelle wrote:
>> On 5/5/15 6:47 AM, Dmitri Pal wrote:
>>> On 05/04/2015 09:38 PM, Janelle wrote:
>>>> On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>>>>> On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>>>>> Happy Star Wars Day!
>>>>>> May the Fourth be with you!
>>>>>>
>>>>>> So I have a strange Kerberos problem trying to figure out. On a
>>>>>> CLIENT, (CentOS 7.1) if I login to account "usera" they get a
>>>>>> ticket as
>>>>>> expected. However, if I login to a 6.6 client, it doesn't seem to
>>>>>> work.
>>>>>> Both were enrolled the same, obviously one is newer.
>>>>>>
>>>>>> Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>>>>> as
>>>>>> root, bypassing kerberos, and then do "kinit admin" it works just
>>>>>> fine.
>>>>>> But if I do "kinit usera" I get:
>>>>>>
>>>>>> kinit: Generic preauthentication failure while getting initial
>>>>>> credentials
>>>>>>
>>>>>> Which makes no sense. The account works with a 7.1 client but not a
>>>>>> 6.x
>>>>>> client?? And yet "admin" works, no matter what. What am I missing
>>>>>> here?
>>>>> If I had to guess, usera is enabled for OTP-only login. Is that
>>>>> correct?
>>>>>
>>>>> If so, clients require RHEL 7.1 for OTP support. Also, the error you
>>>>> are getting is the result of not enabling FAST support for OTP
>>>>> authentication (see the -T option).
>>>>>
>>>>> Nathaniel
>>>> Ok, this did give me an idea (Thanks Nathaniel) -- the account was
>>>> set for BOTH "password" and OTP.
>>>> Apparently setting both does nothing. Yes a user can login with
>>>> their password-only, but trying to use kinit does not work.
>>>>
>>>> I am not sure I understand where the FAST support or the -T option
>>>> is to be applied. On kinit? That does not seem correct. Perhaps I
>>>> am misunderstanding this option?
>>>>
>>>> ~J
>>>>
>>> If the user is enabled for OTP his credential are sent differently
>>> than in the case when it is not enabled. Effectively instead of
>>> using encrypted timestamp the password and OTP are sent to the
>>> server as data. But they can't be sent in clear. You need to encrypt
>>> the data. To encrypt it you need another key - the host key. The
>>> encryption of the data in this context is called tunneling . FAST is
>>> the Kerberos protocol feature to provide tunneling of the data sent
>>> over the wire. To use FAST one needs to use -T on the kinit command
>>> line.
>>> Does this help?
>>>
>> It helps -- thank you.
>>
>> Now allow me to add a little more fun, and there may not be a solution.
>>> From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server
>> principal" and it works, gives me a ticket, and if I attempt to login
>> to the web interface, since I already have my ticket - boom, works fine.
>>
>> Now, I enable 2FA and setup a token and change my account to OTP
>> (with TOTP). But as previously discussed, can't seem to specify a -T
>> option from OS X.
>>
>> I know this sounds tricky -- Any ideas?
> Use
> kinit --fast-armor-cache /path/to/ccache to specify already existing
> ccache to armor the FAST processing.
>
> This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
> You can check version number by running 'kinit --version'.
Aha, so thee default on OS X Yosemite is
$ kinit --version
kinit (Heimdal 1.5.1apple1)
so this won't work?
~J
PS - sorry for the questions, still trying to wrap my head around how to
get OTP working from a term session so you can get your ticket and then
login to all the hosts you need without reauthenticating.
More information about the Freeipa-users
mailing list