[Freeipa-users] Re: 2FA not working with OpenVPN Free IPA Integration

[Tinku Goyal via FreeIPA-users]

The password is being changed using the IPA server UI for the IPA users. Post 
password change users are able to login to the IPA portal and linux servers as 
well but not able to authenticate with the OpenVPN via the plugin.

Also, same is happening for the new users, if I create a new user in IPA and 
try login to the OpenVPN with that user with 2FA enabled, it is not working.

While authentication, it is going for Pre-authentication and I found these in 
kerberos logs for a user for both attempts (with 2FA enabled and without). This 
users password was resetted recently and post that it started having issues.

Without OTP it is working and with OTP it is failing.

Without OTP

Jul 10 02:34:24 newvpn1 krb5kdc[1446773](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:34:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:34:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:34:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:34:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: ISSUE: 
authtime 1720559066, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL
Jul 10 02:34:27 newvpn1 krb5kdc[1446774](info): TGS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: ISSUE: 
authtime 1720559066, etypes {rep=aes256-cts-hmac-sha1-96(18), 
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, 
asingh@TINKU.LOCAL for host/newvpn.TINKU.local@TINKU.LOCAL


With OTP Failure

Jul 10 02:33:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:33:25 newvpn1 krb5kdc[1446773](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:33:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:33:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
NEEDED_PREAUTH: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Additional pre-authentication required
Jul 10 02:33:27 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes 
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: 
PREAUTH_FAILED: asingh@TINKU.LOCAL for krbtgt/TINKU.LOCAL@TINKU.LOCAL, 
Preauthentication failed
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue