[Freeipa-users] interesting Kerberos issue

[Alexander Bokovoy]

On Mon, 18 May 2015, Janelle wrote:
>On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
>>On Sun, 10 May 2015, Janelle wrote:
>>>On 5/5/15 6:47 AM, Dmitri Pal wrote:
>>>>On 05/04/2015 09:38 PM, Janelle wrote:
>>>>>On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>>>>>>On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>>>>>>>Happy Star Wars Day!
>>>>>>>May the Fourth be with you!
>>>>>>>
>>>>>>>So I have a strange Kerberos problem trying to figure out. On a
>>>>>>>CLIENT,  (CentOS 7.1) if I login to account "usera" they get a
>>>>>>>ticket as
>>>>>>>expected.  However, if I login to a 6.6 client, it doesn't seem to
>>>>>>>work.
>>>>>>>Both were enrolled the same, obviously one is newer.
>>>>>>>
>>>>>>>Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
>>>>>>>as
>>>>>>>root, bypassing kerberos, and then do "kinit admin" it works just
>>>>>>>fine.
>>>>>>>But if I do "kinit usera" I get:
>>>>>>>
>>>>>>>kinit: Generic preauthentication failure while getting initial
>>>>>>>credentials
>>>>>>>
>>>>>>>Which makes no sense. The account works with a 7.1 client but not a
>>>>>>>6.x
>>>>>>>client?? And yet "admin" works, no matter what. What am I missing
>>>>>>>here?
>>>>>>If I had to guess, usera is enabled for OTP-only login. Is that
>>>>>>correct?
>>>>>>
>>>>>>If so, clients require RHEL 7.1 for OTP support. Also, the error you
>>>>>>are getting is the result of not enabling FAST support for OTP
>>>>>>authentication (see the -T option).
>>>>>>
>>>>>>Nathaniel
>>>>>Ok, this did give me an idea (Thanks Nathaniel)  -- the 
>>>>>account was set for BOTH "password" and OTP.
>>>>>Apparently setting both does nothing. Yes a user can login 
>>>>>with their password-only, but trying to use kinit does not 
>>>>>work.
>>>>>
>>>>>I am not sure I understand where the FAST support or the -T 
>>>>>option is to be applied. On kinit? That does not seem correct. 
>>>>>Perhaps I am misunderstanding this option?
>>>>>
>>>>>~J
>>>>>
>>>>If the user is enabled for OTP his credential are sent 
>>>>differently than in the case when it is not enabled. Effectively 
>>>>instead of using encrypted timestamp the password and OTP are 
>>>>sent to the server as data. But they can't be sent in clear. You 
>>>>need to encrypt the data. To encrypt it you need another key - 
>>>>the host key. The encryption of the data in this context is 
>>>>called tunneling . FAST is the Kerberos protocol feature to 
>>>>provide tunneling of the data sent over the wire. To use FAST 
>>>>one needs to use -T on the kinit command line.
>>>>Does this help?
>>>>
>>>It helps -- thank you.
>>>
>>>Now allow me to add a little more fun, and there may not be a solution.
>>>>From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server
>>>principal" and it works, gives me a ticket, and if I attempt to 
>>>login to the web interface, since I already have my ticket - boom, 
>>>works fine.
>>>
>>>Now, I enable 2FA and setup a token and change my account to OTP 
>>>(with TOTP).  But as previously discussed, can't seem to specify a 
>>>-T option from OS X.
>>>
>>>I know this sounds tricky -- Any ideas?
>>Use
>> kinit --fast-armor-cache /path/to/ccache to specify already 
>>existing ccache to armor the FAST processing.
>>
>>This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
>>You can check version number by running 'kinit --version'.
>Aha, so thee default on OS X Yosemite is
>
>$ kinit --version
>kinit (Heimdal 1.5.1apple1)
>
>so this won't work?
Yes, you have to have the feature in your Kerberos library.

-- 
/ Alexander Bokovoy