[Freeipa-users] interesting Kerberos issue

Alexander Bokovoy abokovoy at redhat.com
Mon May 18 14:18:15 UTC 2015 

On Mon, 18 May 2015, Nathaniel McCallum wrote:
>On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote:
>> On Mon, 18 May 2015, Janelle wrote:
>> > On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
>> > > On Sun, 10 May 2015, Janelle wrote:
>> > > > On 5/5/15 6:47 AM, Dmitri Pal wrote:
>> > > > > On 05/04/2015 09:38 PM, Janelle wrote:
>> > > > > > On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
>> > > > > > > On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
>> > > > > > > > Happy Star Wars Day!
>> > > > > > > > May the Fourth be with you!
>> > > > > > > >
>> > > > > > > > So I have a strange Kerberos problem trying to figure
>> > > > > > > > out. On a
>> > > > > > > > CLIENT,  (CentOS 7.1) if I login to account "usera"
>> > > > > > > > they get a
>> > > > > > > > ticket as
>> > > > > > > > expected.  However, if I login to a 6.6 client, it
>> > > > > > > > doesn't seem to
>> > > > > > > > work.
>> > > > > > > > Both were enrolled the same, obviously one is newer.
>> > > > > > > >
>> > > > > > > > Now, it gets stranger. The "servers" are CentOS 7.1
>> > > > > > > > also. If I login
>> > > > > > > > as
>> > > > > > > > root, bypassing kerberos, and then do "kinit admin" it
>> > > > > > > > works just
>> > > > > > > > fine.
>> > > > > > > > But if I do "kinit usera" I get:
>> > > > > > > >
>> > > > > > > > kinit: Generic preauthentication failure while getting
>> > > > > > > > initial
>> > > > > > > > credentials
>> > > > > > > >
>> > > > > > > > Which makes no sense. The account works with a 7.1
>> > > > > > > > client but not a
>> > > > > > > > 6.x
>> > > > > > > > client?? And yet "admin" works, no matter what. What am
>> > > > > > > > I missing
>> > > > > > > > here?
>> > > > > > > If I had to guess, usera is enabled for OTP-only login.
>> > > > > > > Is that
>> > > > > > > correct?
>> > > > > > >
>> > > > > > > If so, clients require RHEL 7.1 for OTP support. Also,
>> > > > > > > the error you
>> > > > > > > are getting is the result of not enabling FAST support
>> > > > > > > for OTP
>> > > > > > > authentication (see the -T option).
>> > > > > > >
>> > > > > > > Nathaniel
>> > > > > > Ok, this did give me an idea (Thanks Nathaniel)  -- the
>> > > > > > account was set for BOTH "password" and OTP.
>> > > > > > Apparently setting both does nothing. Yes a user can login
>> > > > > > with their password-only, but trying to use kinit does not
>> > > > > > work.
>> > > > > >
>> > > > > > I am not sure I understand where the FAST support or the -T
>> > > > > >
>> > > > > > option is to be applied. On kinit? That does not seem
>> > > > > > correct.
>> > > > > > Perhaps I am misunderstanding this option?
>> > > > > >
>> > > > > > ~J
>> > > > > >
>> > > > > If the user is enabled for OTP his credential are sent
>> > > > > differently than in the case when it is not enabled.
>> > > > > Effectively
>> > > > > instead of using encrypted timestamp the password and OTP are
>> > > > >
>> > > > > sent to the server as data. But they can't be sent in clear.
>> > > > > You
>> > > > > need to encrypt the data. To encrypt it you need another key
>> > > > > -
>> > > > > the host key. The encryption of the data in this context is
>> > > > > called tunneling . FAST is the Kerberos protocol feature to
>> > > > > provide tunneling of the data sent over the wire. To use FAST
>> > > > >
>> > > > > one needs to use -T on the kinit command line.
>> > > > > Does this help?
>> > > > >
>> > > > It helps -- thank you.
>> > > >
>> > > > Now allow me to add a little more fun, and there may not be a
>> > > > solution.
>> > > > > From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA
>> > > > > -server
>> > > > principal" and it works, gives me a ticket, and if I attempt to
>> > > >
>> > > > login to the web interface, since I already have my ticket -
>> > > > boom,
>> > > > works fine.
>> > > >
>> > > > Now, I enable 2FA and setup a token and change my account to
>> > > > OTP
>> > > > (with TOTP).  But as previously discussed, can't seem to
>> > > > specify a
>> > > > -T option from OS X.
>> > > >
>> > > > I know this sounds tricky -- Any ideas?
>> > > Use
>> > > kinit --fast-armor-cache /path/to/ccache to specify already
>> > > existing ccache to armor the FAST processing.
>> > >
>> > > This is Heimdal-specific, and you should have Heimdal 1.6rc2 at
>> > > least.
>> > > You can check version number by running 'kinit --version'.
>> > Aha, so thee default on OS X Yosemite is
>> >
>> > $ kinit --version
>> > kinit (Heimdal 1.5.1apple1)
>> >
>> > so this won't work?
>> Yes, you have to have the feature in your Kerberos library.
>
>Browsing the Heimdal source code, I don't even see any support for OTP
>at all. :(
The support is since 1.6rc2, it uses the Richards' draft
(draft-richards-otp-kerberos-01.txt) as a base and handles preauth but I
don't think anything but login and ftpd supports passing the OTP token.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list