[Freeipa-users] Ubuntu client 2FA not working
Sumit Bose
sbose at redhat.com
Wed Feb 8 08:39:00 UTC 2017
On Mon, Feb 06, 2017 at 01:56:06PM +0000, Tommy Nikjoo wrote:
> Hi,
>
> I'm having some issues with 2FA PAM config's on Ubuntu clients.
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol. Is anyone able to give an in site into how to get
> this working correctly?
In general you have to make sure the pam_sss is the pam modules which
does the conversation with the user and not e.g. pam_unix because
pam_unix will only ask for a password.
E.g. on Fedora/RHEL a general auth part of the PAM configuration might
look like:
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
The pam_localuser module checks if the user trying to log in is a local
user, i.e. listed in /etc/passwd, and if it is a local user (success=ok)
the next module pam_unix is called. For non-local user the next module
is skipped (default=1) and after the uid check pam_sss is call which now
can prompt the user according to the authentication methods available
for the user on the IPA server.
HTH
bye,
Sumit
>
> Thanks
>
> **
>
> //
>
>
>
> On 14/12/16 22:48, Fraser Tweedale wrote:
> > On Wed, Dec 14, 2016 at 05:35:35PM +0000, Tommy Nikjoo wrote:
> >> Hi,
> >>
> >> I'm trying to install FreeIPA on CentOS 7 using the yum package, but I
> >> keep getting an error when it tries to restart DogTag
> >>
> >> [26/31]: restarting certificate server
> >> ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to restart
> >> the Dogtag instance.See the installation log for details.
> >> [27/31]: migrating certificate profiles to LDAP
> >> [error] NetworkError: cannot connect to
> >> 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
> >> ipa.ipapython.install.cli.install_tool(Server): ERROR cannot connect
> >> to 'https://ldap2.armourcomms.com:8443/ca/rest/account/login': ''
> >> ipa.ipapython.install.cli.install_tool(Server): ERROR The
> >> ipa-server-install command failed. See /var/log/ipaserver-install.log
> >> for more information
> >>
> >>
> >> The log shows the following error
> >>
> >> 2016-12-14T16:53:05Z DEBUG NSSConnection init ldap.example.com
> >> 2016-12-14T16:53:05Z DEBUG Connecting: x.x.x.x:0
> >> 2016-12-14T16:53:05Z DEBUG approved_usage = SSL Server intended_usage =
> >> SSL Server
> >> 2016-12-14T16:53:05Z DEBUG cert valid True for
> >> "CN=ldap.example.com,O=EXAMPLE.COM"
> >> 2016-12-14T16:53:05Z DEBUG handshake complete, peer = x.x.x.x:8443
> >> 2016-12-14T16:53:05Z DEBUG Protocol: TLS1.2
> >> 2016-12-14T16:53:05Z DEBUG Cipher: TLS_RSA_WITH_AES_256_CBC_SHA
> >> 2016-12-14T16:53:05Z DEBUG response status 200
> >> 2016-12-14T16:53:05Z DEBUG response headers {'content-length': '205',
> >> 'set-cookie': 'JSESSIONID=9B6C767CDBED07088646235E68E831E0; Path=/ca/;
> >> Secure; HttpOnly', 'expires': 'Thu, 01 Jan 1970 00:00:00 UTC', 'server':
> >> 'Apache-Coyote/1.1', 'cache-control': 'private', 'date': 'Wed, 14 Dec
> >> 2016 16:53:05 GMT', 'content-type': 'application/xml'}
> >> 2016-12-14T16:53:05Z DEBUG response body '<?xml version="1.0"
> >> encoding="UTF-8" standalone="yes"?><Account
> >> id="ipara"><FullName>ipara</FullName><Roles><Role>Certificate Manager
> >> Agents</Role><Role>Registration Manager Agents</Role></Roles></Account>'
> >> 2016-12-14T16:53:05Z DEBUG request POST
> >> https://ldap.example.com:8443/ca/rest/profiles/raw
> >> 2016-12-14T16:53:05Z DEBUG request body
> >> 'profileId=IECUserRoles\nclassId=caEnrollImpl\ndesc=Enroll user
> >> certificates with IECUserRoles extension via IPA-RA agent
> >> authentication.\nvisible=false\nenable=true\nenableBy=admin\nauth.instance_id=raCertAuth\nname=IPA-RA
> >> Agent-Authenticated Server Certificate
> >> Enrollment\ninput.list=i1,i2\ninput.i1.class_id=certReqInputImpl\ninput.i2.class_id=submitterInfoInputImpl\noutput.list=o1\noutput.o1.class_id=certOutputImpl\npolicyset.list=serverCertSet\npolicyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12\npolicyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl\npolicyset.serverCertSet.1.constraint.name=Subject
> >> Name
> >> Constraint\npolicyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+\npolicyset.serverCertSet.1.constraint.params.accept=true\npolicyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl\npolicyset.serverCertSet.1.default.name=Subject
> >> Name
> >> Default\npolicyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,
> >> O=EXAMPLE.COM\npolicyset.serverCertSet.2.constraint.class_id=validityConstraintImpl\npolicyset.serverCertSet.2.constraint.name=Validity
> >> Constraint\npolicyset.serverCertSet.2.constraint.params.range=740\npolicyset.serverCertSet.2.constraint.params.notBeforeCheck=false\npolicyset.serverCertSet.2.constraint.params.notAfterCheck=false\npolicyset.serverCertSet.2.default.class_id=validityDefaultImpl\npolicyset.serverCertSet.2.default.name=Validity
> >> Default\npolicyset.serverCertSet.2.default.params.range=731\npolicyset.serverCertSet.2.default.params.startTime=0\npolicyset.serverCertSet.3.constraint.class_id=keyConstraintImpl\npolicyset.serverCertSet.3.constraint.name=Key
> >> Constraint\npolicyset.serverCertSet.3.constraint.params.keyType=RSA\npolicyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096\npolicyset.serverCertSet.3.default.class_id=userKeyDefaultImpl\npolicyset.serverCertSet.3.default.name=Key
> >> Default\npolicyset.serverCertSet.4.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.4.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.4.default.name=Authority
> >> Key Identifier
> >> Default\npolicyset.serverCertSet.5.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.5.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl\npolicyset.serverCertSet.5.default.name=AIA
> >> Extension
> >> Default\npolicyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName\npolicyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.example.com/ca/ocsp\npolicyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1\npolicyset.serverCertSet.5.default.params.authInfoAccessCritical=false\npolicyset.serverCertSet.5.default.params.authInfoAccessNumADs=1\npolicyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl\npolicyset.serverCertSet.6.constraint.name=Key
> >> Usage Extension
> >> Constraint\npolicyset.serverCertSet.6.constraint.params.keyUsageCritical=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl\npolicyset.serverCertSet.6.default.name=Key
> >> Usage
> >> Default\npolicyset.serverCertSet.6.default.params.keyUsageCritical=true\npolicyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true\npolicyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true\npolicyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true\npolicyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false\npolicyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false\npolicyset.serverCertSet.6.default.params.keyUsageCrlSign=false\npolicyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false\npolicyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false\npolicyset.serverCertSet.7.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.7.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl\npolicyset.serverCertSet.7.default.name=Extended
> >> Key Usage Extension
> >> Default\npolicyset.serverCertSet.7.default.params.exKeyUsageCritical=false\npolicyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2\npolicyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl\npolicyset.serverCertSet.8.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC\npolicyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl\npolicyset.serverCertSet.8.default.name=Signing
> >> Alg\npolicyset.serverCertSet.8.default.params.signingAlg=-\npolicyset.serverCertSet.9.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.9.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl\npolicyset.serverCertSet.9.default.name=CRL
> >> Distribution Points Extension
> >> Default\npolicyset.serverCertSet.9.default.params.crlDistPointsCritical=false\npolicyset.serverCertSet.9.default.params.crlDistPointsNum=1\npolicyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate
> >> Authority,o=ipaca\npolicyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName\npolicyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.example.com/ipa/crl/MasterCRL.bin\npolicyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName\npolicyset.serverCertSet.9.default.params.crlDistPointsReasons_0=\npolicyset.serverCertSet.10.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.10.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl\npolicyset.serverCertSet.10.default.name=Subject
> >> Key Identifier Extension
> >> Default\npolicyset.serverCertSet.10.default.params.critical=false\npolicyset.serverCertSet.11.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.11.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl\npolicyset.serverCertSet.11.default.name=User
> >> Supplied Extension
> >> Default\npolicyset.serverCertSet.11.default.params.userExtOID=2.5.29.17\npolicyset.serverCertSet.12.constraint.class_id=noConstraintImpl\npolicyset.serverCertSet.12.constraint.name=No
> >> Constraint\npolicyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl\npolicyset.serverCertSet.12.default.name=IECUserRoles
> >> Extension
> >> Default\npolicyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1\n'
> >>
> >> Is there anything I can do to get around this?
> >>
> >> Thanks,
> >>
> >> Tommy
> >>
> > Could you look at `journalctl -u pki-tomcatd at pki-tomcat' and see if
> > there are any errors there?
> >
> > Also could you provide more of /var/log/ipaserver-install.log and
> > /var/log/pki/pki-tomcat/ca/debug ?
> >
> > Thanks,
> > Fraser
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list