Hi Alexander/Team, Requiring your guidance in solving this problem. I have tried multiple possibilities but couldn't get this right.
I am writing down the entire setup which I have right now. My FreeIPA cluster was earlier on 4.6.8 running on CentOS 7 and OpenVPN server authentication being done by plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login along with 2FA successfully. When I migrated this setup to Oracle Linux 8 and updated the IPA version to 4.9.13 the OpenVPN authentication is not working with 2FA when I reset any user password or on-board any new user. For old users, 2FA is working successfully unless I/they reset their IPA passwords. 2FA is working fine when I login to the servers, it's just not working with OpenVPN pam plugin. I am using the same plugin which was being used earlier with same pam file. Request you to please assist in this. Please let me know if any other details are needed. Thanks Tinku On Wed, 10 Jul 2024 at 17:24, Alexander Bokovoy <[email protected]> wrote: > On Срд, 10 ліп 2024, Tinku Goyal via FreeIPA-users wrote: > >The password is being changed using the IPA server UI for the IPA > >users. Post password change users are able to login to the IPA portal > >and linux servers as well but not able to authenticate with the OpenVPN > >via the plugin. > > > >Also, same is happening for the new users, if I create a new user in > >IPA and try login to the OpenVPN with that user with 2FA enabled, it is > >not working. > > > >While authentication, it is going for Pre-authentication and I found > >these in kerberos logs for a user for both attempts (with 2FA enabled > >and without). This users password was resetted recently and post that > >it started having issues. > > > >Without OTP it is working and with OTP it is failing. > > Can you provide debug SSSD logs from the openvpn host? > > > > >Without OTP > > > >Jul 10 02:34:24 newvpn1 krb5kdc[1446773](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:34:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:34:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:34:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:34:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: ISSUE: > authtime 1720559066, etypes {rep=aes256-cts-hmac-sha1-96(18), > tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, > [email protected] for krbtgt/[email protected] > >Jul 10 02:34:27 newvpn1 krb5kdc[1446774](info): TGS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: ISSUE: > authtime 1720559066, etypes {rep=aes256-cts-hmac-sha1-96(18), > tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, > [email protected] for host/[email protected] > > > > > >With OTP Failure > > > >Jul 10 02:33:25 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:33:25 newvpn1 krb5kdc[1446773](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:33:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:33:26 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], > Additional pre-authentication required > >Jul 10 02:33:27 newvpn1 krb5kdc[1446774](info): AS_REQ (6 etypes > {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), > aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), > camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.18.20.5: > PREAUTH_FAILED: [email protected] for krbtgt/[email protected], > Preauthentication failed > >-- > >_______________________________________________ > >FreeIPA-users mailing list -- [email protected] > >To unsubscribe send an email to > [email protected] > >Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
