I will try to reproduce the problem interactively in python. Lune
Le mer. 4 juil. 2018 à 07:20, Alexander Bokovoy <aboko...@redhat.com> a écrit : > On ke, 04 heinä 2018, lune voo wrote: > >Hello Alexander. > > > >Thanks for the answer. > > > >Otp stands for one time password. > > > >In fact in order to set a password for a user, I do first a ipa passwd > >using ipa python library. > So, your code is equivalent to > > kinit admin > ipa passwd test-user > kpasswd test-user > > ? > > I.e. there is no 2FA involved and what you call 'otp' is only reflecting > the fact that any non-user-initiated password change forces that user to > change their password, so 'ipa passwd test-user' as admin means > 'test-user' password has to be changed and becomes effectively a one > time password set by admin. > > Is that a correct assessment? > > > >The otp is good normally. > Can you demonstrate things not working in a console, interactively? > > >And the kpasswd password should be good also except if ipa kdc dont like > >some special characters ? > There is no limits on what Kerberos KDC considers a 'password' as that > could be a bunch of random bytes. > > > > >Lune. > > > > > >Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy <aboko...@redhat.com> a > >écrit : > > > >> On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote: > >> >Hello ! > >> > > >> >I contact you because I encounter a problem when I use kpasswd using > >> python > >> >popen function. > >> >I use freeipa 3.0 and python 2.6.6. > >> > > >> >Here is what I do in python : > >> > > >> >input_process = otp + '\n' + password + '\n' + password > >> Here you provide otp (what is this? A 2FA token value?), password and > >> password. > >> > >> >cmd = 'kpasswd %s' % user_login > >> >cmd_and_args = shlex.split(cmd) > >> >p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) > >> >(output, error) = p.communicate(input=input_process) > >> > > >> > > >> >Before doing that, I performed the following command in order to have > more > >> >logs : > >> >export KRB5_TRACE=/dev/stdout > >> > > >> >And here is what I see in the logs : > >> >### > >> >[47700] 1530630765.610794: Getting initial credentials for > >> test_user@MYREALM > >> >[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser > >> >[47700] 1530630765.610998: Retrieving admin@MYREALM -> > >> >krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: > >> from > >> >FILE:/tmp/krb5cc_testuser with result: 0/Success > >> >[47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for > >> >krbtgt/MYREALM@MYREALM: fast_avail: yes > >> >[47700] 1530630765.611006: Using FAST due to armor ccache negotiation > >> result > >> >[47700] 1530630765.611016: Getting credentials admin@MYREALM -> > >> >krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser > >> >[47700] 1530630765.611044: Retrieving admin@MYREALM -> > >> >krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: > >> 0/Success > >> >[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 > >> >[47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> > >> >krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key > >> >aes256-cts/2559 > >> >[47700] 1530630765.611168: FAST armor key: aes256-cts/79AB > >> >[47700] 1530630765.611179: Setting initial creds service to > >> kadmin/changepw > >> >[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser > >> >[47700] 1530630765.611208: Retrieving admin@MYREALM -> > >> >krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF: > >> from > >> >FILE:/tmp/krb5cc_testuser with result: 0/Success > >> >[47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for > >> >krbtgt/MYREALM@MYREALM: fast_avail: yes > >> >[47700] 1530630765.611213: Using FAST due to armor ccache negotiation > >> result > >> >[47700] 1530630765.611219: Getting credentials admin@MYREALM -> > >> >krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser > >> >[47700] 1530630765.611240: Retrieving admin@MYREALM -> > >> >krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: > >> 0/Success > >> >[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 > >> >[47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> > >> >krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key > >> >aes256-cts/2559 > >> >[47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 > >> >[47700] 1530630765.611299: Encoding request body and padata into FAST > >> >request > >> >[47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM > >> >[47700] 1530630765.611418: Resolving hostname ipamasterhostname > >> >[47700] 1530630765.611608: Initiating TCP connection to stream > >> >ipamasterIP:88 > >> >[47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 > >> >[47700] 1530630765.675154: Received answer from stream ipamasterIP:88 > >> >[47700] 1530630765.675208: Response was from master KDC > >> >[47700] 1530630765.675238: Received error from KDC: > -1765328359/Additional > >> >pre-authentication required > >> >[47700] 1530630765.675249: Decoding FAST response > >> >[47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, > >> 137 > >> >[47700] 1530630765.675319: Received cookie: MIT > >> >Password for test_user@MYREALM: > >> Here you are asked for a password. > >> > >> >[47700] 1530630765.682884: Preauth module > >> >encrypted_challenge (138) (flags=1) returned: 0/Success > >> >[47700] 1530630765.682889: Produced preauth for next request: 133, 138 > >> >[47700] 1530630765.682891: Encoding request body and padata into FAST > >> >request > >> >[47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM > >> >[47700] 1530630765.682967: Resolving hostname ipamasterhostname > >> >[47700] 1530630765.683098: Initiating TCP connection to stream > >> >ipamasterIP:88 > >> >[47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 > >> >[47700] 1530630765.756232: Received answer from stream ipamasterIP:88 > >> >[47700] 1530630765.756302: Response was from master KDC > >> >[47700] 1530630765.756321: Received error from KDC: > >> >-1765328360/Preauthentication failed > >> >[47700] 1530630765.756325: Decoding FAST response > >> >[47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, > >> 133, > >> >137 > >> >kpasswd: Preauthentication failed getting initial ticket > >> And your password (what kpasswd uses as a password) is incorrect (to > >> what KDC considers you have as a password). > >> > >> > > >> >) > >> >### > >> > > >> >I don't understand yet why the commande kpasswd is failing ? > >> > > >> >My ticket admin is good. > >> >My ticket cache is used only by me. > >> > > >> >May you help me to understand what is going on please ? > >> Try first to get this working interactively. > >> > >> >Is there a way to use ipa python library to perform a kpasswd instead > of > >> >popen of kpasswd command ? > >> > > >> >Best regards. > >> > > >> >Lune > >> > >> >_______________________________________________ > >> >FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> >To unsubscribe send an email to > >> freeipa-users-le...@lists.fedorahosted.org > >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> >List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> >List Archives: > >> > https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/3RC6MOLZNN2QIOXPZ6SMHPT53KDXEGAO/ > >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: ${hyperkitty_url}
