On Wed, Mar 17, 2021 at 9:27 AM Rob Crittenden <[email protected]> wrote:
> Robert Kudyba via FreeIPA-users wrote: > > > > > > On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > > It depends on what the expectations are for these user-owned > > machines. > > > > > > > > > Only expectation is to be able to log in to a server, get access to > > > their home directory and be able to do their assignments, e.g., > C++, > > > Java or Python programming. > > > > > > > > > If you don't need IPA identities and IPA users won't log into > > them, then > > > they only need a working krb5.conf and DNS configured on them. > > > > > > > > > So each device needs to drop in the krb5.conf file from the FreeIPA > > > server? How does this work on a Windows client? > > > > From the server? I wouldn't. It is likely going to need some > hand-tuning > > depending on your configuration. For example the server is going to > have > > a hardcoded KDC in it. You may or may not want that. > > > > > > So we have to customized the /etc/krb5.conf file that exists on the > > server for any student devices. > > I mean, you don't want to use ipa-client-install which would do all of > this for you, and I understand the reasons, but it does mean some > additional work on your part. > > I don't know your network so at most I can make general suggestions, not > provide you a full configuration. > Since it's a test server DNS is not fully configured on the server to resolve properly, so I now set the krb5.conf file to ignore DNS (see below) > In retrospect the default krb5.conf that ships on Fedora provides for > includes. I think this is probably your best bet: provide an IPA > configuration that resides there and it should co-exist pretty easily > with any other configuration. > > I'm not completely sure about the order of loading and which > configuration "wins" when there is conflict. The man page is the place > to look. > > And kcm_default_ccache has instructions on how to enable/run sssd-kcm so > that this should work out-of-the-box. That is probably better than > having students comment it out, unless you can control the order of what > "wins" when there is conflicting configuration. > Thanks I'll also look into this. > > So your students would log into their own controlled machine > > using their > > > own local account, kinit [email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>> and > > ssh using their > > > credentials. > > > > > > The krb5.conf will tell the student machine how to contact the > > KDC. > > > That's all that is necessary (beyond working DNS). > > > > > > > > > I just tried this on another Fedora 33 workstation, dropped in the > > > /etc/krb5.conf file and all I get is: > > > kinit: No KCM server found while getting default ccache > > > > You can comment the values out in > /etc/krb5.conf.d/kcm_default_ccache to > > change the default ccache type, or comment out the includes in > krb5.conf > > (probably easier). > > > > > > OK now I can get any Fedora client to kinit and then ssh. > > See about for perhaps a less hacky approach than I originally suggested. > What "about" are you referring to? > > > I'm puzzled as to what we'd need to tell/provide to a student, who > is > > > enrolled remotely and can't come on campus, to be able to connect > > to our > > > server via their Windows or Mac laptop. > > > > I don't know about Windows. I used the Windows MIT Kerberos packages > a > > decade or more ago and they worked fine with PuTTY (and IPA with > > discovery) but whether that applies now or not I have no idea. > > > > Mac I think should work similar to Linux: provide a krb5.conf and > things > > should just work. Again, you'll likely have to tweak the > configuration > > depending on what version of MIT Mac ships these days. > > > > > > kinit --version > > > > kinit (Heimdal 1.5.1apple1) > > > > > > So my first test with the server krb5.conf file copied into /etc: > > > > kinit: krb5_get_init_creds: unable to reach any KDC in realm > > OURDOMAIN.EDU < > https://urldefense.proofpoint.com/v2/url?u=http-3A__OURDOMAIN.EDU&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-mh9EMR9ThvbbzJ4oF3FS47k5xSVGi4Rk7JDdv-tnnM&s=49lc1am6Vh9D05Rx3amGJl3ybYJcmnNJW9B1ueHCU98&e= > >, tried 0 KDCs > > > > > > So the first suggestion < > https://urldefense.proofpoint.com/v2/url?u=https-3A__apple.stackexchange.com_a_273064&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-mh9EMR9ThvbbzJ4oF3FS47k5xSVGi4Rk7JDdv-tnnM&s=2azzgAoXmNlcuri8IrXTHuypSek24uXkwNNPMeCpi40&e= > > I > > found was to preface kdc = tcp > > > > Then I made sure the firewall on the Mac was disabled. I also added the > > test IPA server & IP into /etc/hosts. I can ping it successfully. > > > > What else needs to change? > > It's difficult to troubleshoot in a void. I don't know your network > configuration nor what krb5.conf you're using. It sure looks like > discovery of the KDC over DNS failed. > I configured the following in krb5.conf and now at least get prompted for a password and kinit works!: [libdefaults] dns_lookup_kdc = no dns_lookup_realm = no klist Ticket cache: API:krb5cc Default principal: [email protected] Valid starting Expires Service principal 03/18/21 15:17:43 03/19/21 15:17:39 krbtgt/[email protected] However ssh -k on both a Mac and Windows PC do NOT automatically log me in and only the NIS password works. From ssh -vv all I see is: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 And from the ssh logs: Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0 Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid: 99/99 (e=0/0) Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0 Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid: 99/99 (e=0/0) Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0 Mar 18 15:52:48 ourserver sshd[634486]: Failed publickey for ouruser from x.x.x.x port 51827 ssh2: ED25519 SHA256:BH1fuycgWofiOBV9lPK4XB2vYK3frN2FKv208PnmENI Mar 18 15:52:48 ourserver sshd[634486]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth] Mar 18 15:52:48 ourserver sshd[634486]: debug1: attempt 3 failures 2 [preauth] Mar 18 15:52:48 ourserver sshd[634486]: debug1: keyboard-interactive devs [preauth] Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge: user=ouruser devs= [preauth] Mar 18 15:52:48 ourserver sshd[634486]: debug1: kbdint_alloc: devices 'pam' [preauth] Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] Mar 18 15:52:48 ourserver sshd[634486]: Postponed keyboard-interactive for ouruser from x.x.x.x port 51827 ssh2 [preauth] Mar 18 15:52:58 ourserver sshd[634508]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): received for user ouruser: 9 (Authentication service cannot retrieve authentication info) Mar 18 15:53:00 ourserver sshd[634486]: error: PAM: Authentication failure for ouruser from x.x.x.x Mar 18 15:53:00 ourserver sshd[634486]: Failed keyboard-interactive/pam for ouruser from x.x.x.x port 51827 ssh2 Mar 18 15:53:00 ourserver sshd[634486]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth] So is there some other configuration that needs to be set to pass on/through from kinit/ticket to ssh, on Windows and Mac? Perhaps something in krb5.conf?
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
