[Freeipa-users] Ubuntu client 2FA not working
Jochen Hein
jochen at jochen.org
Mon Feb 27 12:44:23 UTC 2017
Tommy Nikjoo <tommy.nikjoo at armourcomms.com> writes:
> I'm having some issues with 2FA PAM config's on Ubuntu clients.
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol. Is anyone able to give an in site into how to get
> this working correctly?
I'm not finished with my quest, but I think I got at least some hints.
Right now I'm not trying with pam/sss, but with kinit alone. I do have
two IPA servers and in the default configuration I see:
$ KRB5_TRACE=/dev/stderr kinit -T KEYRING:persistent:1004:krb_ccache_UhNqkJ3 jochen
[15136] 1488197822.55857: Resolving hostname freeipa1.example.org.
[15136] 1488197822.57587: Sending initial UDP request to dgram 192.168.30.121:88
[15136] 1488197822.60106: Received answer (546 bytes) from dgram 192.168.30.121:88
[15136] 1488197822.60994: Response was from master KDC
[15136] 1488197822.61069: Received error from KDC: -1765328359/zusätzlich Vorauthentifizierung erforderlich
[15136] 1488197822.61093: Decoding FAST response
[15136] 1488197822.61282: Processing preauth types: 136, 141, 133, 137
[15136] 1488197822.61298: Received cookie: MIT
Enter your OTP password:
[15136] 1488197829.991232: Preauth module otp (141) (real) returned: 0/Success
[15136] 1488197829.991271: Produced preauth for next request: 133, 142
[15136] 1488197829.991289: Encoding request body and padata into FAST request
[15136] 1488197829.991518: Sending request (1221 bytes) to EXAMPLE.ORG
[15136] 1488197829.993141: Resolving hostname freeipa1.example.org.
[15136] 1488197829.993873: Sending initial UDP request to dgram 192.168.30.121:88
[15136] 1488197830.994965: Resolving hostname freeipa2.example.org.
[15136] 1488197830.995866: Sending initial UDP request to dgram 192.168.30.122:88
[15136] 1488197831.128141: Received answer (546 bytes) from dgram 192.168.30.121:88
[15136] 1488197831.129630: Response was from master KDC
[15136] 1488197831.129731: Received error from KDC: -1765328360/Vorauthentifizierung fehlgeschlagen
[15136] 1488197831.129764: Decoding FAST response
[15136] 1488197831.129953: Preauth tryagain input types: 136, 141, 133, 137
kinit: Vorauthentifizierung fehlgeschlagen bei Anfängliche Anmeldedaten werden geholt.
We ask the first ipa server for preauth, after I've entered the
password+OTP we ask the first server with UDP, but don't get an answer
within one second. So we ask the other server. Shortly after we get the
answer from the first server.
If I use only one KDC in krb5.conf:
dns_lookup_kdc = false
...
kdc = freeipa1.example.org
we only ask that server and get the correct answer.
So I see two questions for now:
- Why do we ask both servers with such a short timeout?
- Why do we use UDP when using dns_lookup_kdc, even if I have "udp_preference_limit = 1" set?
My FreeIPA servers ask themselves, so they don't use DNS. I'll try to check a normal client.
Hm, one CentOS client has krb5-workstation-1.14.1-27.el7_3.x86_64 and works fine.
My Debian host I analyzed here has krb5-user 1.15-1.
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list