Re: [Freeipa-users] FreeIPA4 OTP vs PAM

Sat, 22 Nov 2014 14:10:40 -0800 

I got some extra log output: seems that FAST IS being used.  I am running
SSSD 1.11.6, which is supposed to have above mentioned issues fixed:

Log:
=================
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[find_principal_in_keytab] (0x4000): Trying to find principal host/
ipaclient.my.domain....@my.domain.com in keytab.
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [match_principal]
(0x1000): Principal matched to the sample (host/
ipaclient.my.domain....@my.domain.com).
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361296: Retrieving
host/ipaclient.my.domain....@my.domain.com -> krbtgt/
my.domain....@my.domain.com from FILE:/var/lib/sss/db/
fast_ccache_MY.DOMAIN.COM with result: 0/Success
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [check_fast_ccache]
(0x0200): FAST TGT is still valid.
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [main] (0x0400): Will
perform online auth
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [tgt_req_child]
(0x1000): Attempting to get a TGT
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [MY.DOMAIN.COM]
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361440: Getting
initial credentials for mich...@my.domain.com
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361508: FAST armor
ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361575: Retrieving
host/ipaclient.my.domain....@my.domain.com ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM
\@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/
fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not
found
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361648: Sending
request (188 bytes) to MY.DOMAIN.COM
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361842: Sending
initial UDP request to dgram 1.1.1.2:88
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365901: Received
answer from dgram 1.1.1.2:88
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365981: Response was
from master KDC
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366020: Received
error from KDC: -1765328359/Additional pre-authentication required
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366051: Upgrading to
FAST due to presence of PA_FX_FAST in reply
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366075: Restarting to
upgrade to FAST
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366102: FAST armor
ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366161: Retrieving
host/ipaclient.my.domain....@my.domain.com ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM
\@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/
fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not
found
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366191: Upgrading to
FAST due to presence of PA_FX_FAST in reply
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366215: FAST armor
ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366267: Retrieving
host/ipaclient.my.domain....@my.domain.com ->
krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM
\@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/
fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not
found
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366322: Getting
credentials host/ipaclient.my.domain....@my.domain.com -> krbtgt/
my.domain....@my.domain.com using ccache FILE:/var/lib/sss/db/
fast_ccache_MY.DOMAIN.COM
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366380: Retrieving
host/ipaclient.my.domain....@my.domain.com -> krbtgt/
my.domain....@my.domain.com from FILE:/var/lib/sss/db/
fast_ccache_MY.DOMAIN.COM with result: 0/Success
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366425: Armor ccache
sesion key: aes256-cts/9082
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366476: Creating
authenticator for host/ipaclient.my.domain....@my.domain.com -> krbtgt/
my.domain....@my.domain.com, seqnum 0, subkey aes256-cts/F5B0, session key
aes256-cts/9082
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366562: FAST armor
key: aes256-cts/0D88
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366605: Encoding
request body and padata into FAST request
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366675: Sending
request (1089 bytes) to MY.DOMAIN.COM
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366752: Sending
initial UDP request to dgram 1.1.1.2:88
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370122: Received
answer from dgram 1.1.1.2:88
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370193: Response was
from master KDC
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370232: Received
error from KDC: -1765328359/Additional pre-authentication required
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370262: Decoding FAST
response
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370333: Processing
preauth types: 136, 141, 133, 137
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370364: Received
cookie: MIT
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]]
[sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.370404: Produced
preauth for next request: 133
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [get_and_save_tgt]
(0x0020): 981: [-1765328174][Generic preauthentication failure]
(Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451]]]] [map_krb5_error]
(0x0020): 1043: [-1765328174][Generic preauthentication failure]

=================

On Sat, Nov 22, 2014 at 1:14 PM, Michael Lasevich <mlasev...@lasevich.net>
wrote:

> Reviving this as I am still stuck with CentOS 6.
>
> CentOS 6.6 now has sssd 1.11 - yet I still cannot get the OTP to work
> under PAM:
>
> I created a test user and added an otp. User works fine without the OTP,
> however I keep getting this when trying to test  with OTP via pamtester:
>
> pamtester: pam_sss(login:auth): authentication failure; logname= uid=0
> euid=0 tty= ruser= rhost= user=michael
> pamtester: pam_sss(login:auth): received for user michael: 17 (Failure
> setting user credentials)
>
> Is there a way to get more information as to what is going on?
>
> Is my expectation that I would provide otp in a form of "password123456"
> correct (assuming my password is "password" and otp token is "123456")?
>
>
>
> On Fri, Aug 15, 2014 at 2:29 AM, Michael Lasevich <mlasev...@lasevich.net>
> wrote:
>
>> Thanks, glad I asked before wasting time.
>>
>>
>> On Fri, Aug 15, 2014 at 1:07 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
>>
>>> On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote:
>>> > I did not dive into this yet, but before I waste too much time I
>>> wanted to
>>> > ask if centos 6.5 default ipa client expected to work with 2FA or not.
>>>
>>> No it's not, sorry. The 6.5 client is SSSD 1.9.x and there's a couple of
>>> fixes that landed during the 1.11 development such as:
>>>     https://fedorahosted.org/sssd/ticket/2186
>>> or:
>>>     https://fedorahosted.org/sssd/ticket/2271
>>> plus some other commits I see in git log which don't reference any
>>> ticket.
>>>
>>> I'd suggest to test using a centos 7.0 client.
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go To http://freeipa.org for more info on the project
>>>
>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to