Robert Kudyba via FreeIPA-users wrote: > On Wed, Mar 17, 2021 at 9:27 AM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Robert Kudyba via FreeIPA-users wrote: > > > > > > On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > It depends on what the expectations are for these user-owned > > machines. > > > > > > > > > Only expectation is to be able to log in to a server, get > access to > > > their home directory and be able to do their assignments, > e.g., C++, > > > Java or Python programming. > > > > > > > > > If you don't need IPA identities and IPA users won't log > into > > them, then > > > they only need a working krb5.conf and DNS configured on > them. > > > > > > > > > So each device needs to drop in the krb5.conf file from the > FreeIPA > > > server? How does this work on a Windows client? > > > > From the server? I wouldn't. It is likely going to need some > hand-tuning > > depending on your configuration. For example the server is > going to have > > a hardcoded KDC in it. You may or may not want that. > > > > > > So we have to customized the /etc/krb5.conf file that exists on the > > server for any student devices. > > I mean, you don't want to use ipa-client-install which would do all of > this for you, and I understand the reasons, but it does mean some > additional work on your part. > > I don't know your network so at most I can make general suggestions, not > provide you a full configuration. > > > Since it's a test server DNS is not fully configured on the server to > resolve properly, so I now set the krb5.conf file to ignore DNS (see below) > > > > In retrospect the default krb5.conf that ships on Fedora provides for > includes. I think this is probably your best bet: provide an IPA > configuration that resides there and it should co-exist pretty easily > with any other configuration. > > I'm not completely sure about the order of loading and which > configuration "wins" when there is conflict. The man page is the place > to look. > > And kcm_default_ccache has instructions on how to enable/run sssd-kcm so > that this should work out-of-the-box. That is probably better than > having students comment it out, unless you can control the order of what > "wins" when there is conflicting configuration. > > > Thanks I'll also look into this. > > > > So your students would log into their own controlled machine > > using their > > > own local account, kinit [email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>> and > > ssh using their > > > credentials. > > > > > > The krb5.conf will tell the student machine how to > contact the > > KDC. > > > That's all that is necessary (beyond working DNS). > > > > > > > > > I just tried this on another Fedora 33 workstation, dropped > in the > > > /etc/krb5.conf file and all I get is: > > > kinit: No KCM server found while getting default ccache > > > > You can comment the values out in > /etc/krb5.conf.d/kcm_default_ccache to > > change the default ccache type, or comment out the includes in > krb5.conf > > (probably easier). > > > > > > OK now I can get any Fedora client to kinit and then ssh. > > See about for perhaps a less hacky approach than I originally suggested. > > > What "about" are you referring to?
Typo. Above. > > > > I'm puzzled as to what we'd need to tell/provide to a > student, who is > > > enrolled remotely and can't come on campus, to be able to > connect > > to our > > > server via their Windows or Mac laptop. > > > > I don't know about Windows. I used the Windows MIT Kerberos > packages a > > decade or more ago and they worked fine with PuTTY (and IPA with > > discovery) but whether that applies now or not I have no idea. > > > > Mac I think should work similar to Linux: provide a krb5.conf > and things > > should just work. Again, you'll likely have to tweak the > configuration > > depending on what version of MIT Mac ships these days. > > > > > > kinit --version > > > > kinit (Heimdal 1.5.1apple1) > > > > > > So my first test with the server krb5.conf file copied into /etc: > > > > kinit: krb5_get_init_creds: unable to reach any KDC in realm > > OURDOMAIN.EDU <http://OURDOMAIN.EDU> > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__OURDOMAIN.EDU&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-mh9EMR9ThvbbzJ4oF3FS47k5xSVGi4Rk7JDdv-tnnM&s=49lc1am6Vh9D05Rx3amGJl3ybYJcmnNJW9B1ueHCU98&e= > >, tried 0 KDCs > > > > > > So the first suggestion > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__apple.stackexchange.com_a_273064&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-mh9EMR9ThvbbzJ4oF3FS47k5xSVGi4Rk7JDdv-tnnM&s=2azzgAoXmNlcuri8IrXTHuypSek24uXkwNNPMeCpi40&e= > > I > > found was to preface kdc = tcp > > > > Then I made sure the firewall on the Mac was disabled. I also > added the > > test IPA server & IP into /etc/hosts. I can ping it successfully. > > > > What else needs to change? > > It's difficult to troubleshoot in a void. I don't know your network > configuration nor what krb5.conf you're using. It sure looks like > discovery of the KDC over DNS failed. > > > I configured the following in krb5.conf and now at least get prompted > for a password and kinit works!: > [libdefaults] > dns_lookup_kdc = no > dns_lookup_realm = no > > klist > Ticket cache: API:krb5cc > Default principal: [email protected] <mailto:[email protected]> > > Valid starting Expires Service principal > 03/18/21 15:17:43 03/19/21 15:17:39 krbtgt/[email protected] > <mailto:[email protected]> I don't know why mac/Windows isn't working. It doesn't look like it is even trying GSSAPI. rob > > However ssh -k on both a Mac and Windows PC do NOT automatically log me > in and only the NIS password works. From ssh -vv all I see is: > debug1: Authentications that can continue: > publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > > And from the ssh logs: > Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0 > Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid: > 99/99 (e=0/0) > Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0 > Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid: > 99/99 (e=0/0) > Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0 > Mar 18 15:52:48 ourserver sshd[634486]: Failed publickey for ouruser > from x.x.x.x port 51827 ssh2: ED25519 > SHA256:BH1fuycgWofiOBV9lPK4XB2vYK3frN2FKv208PnmENI > Mar 18 15:52:48 ourserver sshd[634486]: debug1: userauth-request for > user ouruser service ssh-connection method keyboard-interactive [preauth] > Mar 18 15:52:48 ourserver sshd[634486]: debug1: attempt 3 failures 2 > [preauth] > Mar 18 15:52:48 ourserver sshd[634486]: debug1: keyboard-interactive > devs [preauth] > Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge: > user=ouruser devs= [preauth] > Mar 18 15:52:48 ourserver sshd[634486]: debug1: kbdint_alloc: devices > 'pam' [preauth] > Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge_start: > trying authentication method 'pam' [preauth] > Mar 18 15:52:48 ourserver sshd[634486]: Postponed keyboard-interactive > for ouruser from x.x.x.x port 51827 ssh2 [preauth] > Mar 18 15:52:58 ourserver sshd[634508]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x user=ouruser > Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=x.x.x.x user=ouruser > Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): received for > user ouruser: 9 (Authentication service cannot retrieve authentication info) > Mar 18 15:53:00 ourserver sshd[634486]: error: PAM: Authentication > failure for ouruser from x.x.x.x > Mar 18 15:53:00 ourserver sshd[634486]: Failed keyboard-interactive/pam > for ouruser from x.x.x.x port 51827 ssh2 > Mar 18 15:53:00 ourserver sshd[634486]: debug1: userauth-request for > user ouruser service ssh-connection method keyboard-interactive [preauth] > > So is there some other configuration that needs to be set to pass > on/through from kinit/ticket to ssh, on Windows and Mac? Perhaps > something in krb5.conf? > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
