On Срд, 10 ліп 2024, Tinku Goyal via FreeIPA-users wrote:
The password is being changed using the IPA server UI for the IPA
users. Post password change users are able to login to the IPA portal
and linux servers as well but not able to authenticate with the OpenVPN
via the plugin.
Also, same is happening for the new users, if I create a new user in
IPA and try login to the OpenVPN with that user with 2FA enabled, it is
not working.
While authentication, it is going for Pre-authentication and I found
these in kerberos logs for a user for both attempts (with 2FA enabled
and without). This users password was resetted recently and post that
it started having issues.
Without OTP it is working and with OTP it is failing.
Can you provide debug SSSD logs from the openvpn host?
Without OTP
Jul 10 02:34:24 newvpn1 krb5kdc[1446773](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:34:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:34:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:34:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:34:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: ISSUE:
authtime 1720559066, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected] for krbtgt/[email protected]
Jul 10 02:34:27 newvpn1 krb5kdc[1446774](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: ISSUE:
authtime 1720559066, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
[email protected] for host/[email protected]
With OTP Failure
Jul 10 02:33:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:33:25 newvpn1 krb5kdc[1446773](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:33:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:33:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
NEEDED_PREAUTH: [email protected] for krbtgt/[email protected],
Additional pre-authentication required
Jul 10 02:33:27 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5:
PREAUTH_FAILED: [email protected] for krbtgt/[email protected],
Preauthentication failed
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
