On Sun, 10 May 2015, Janelle wrote:
On 5/5/15 6:47 AM, Dmitri Pal wrote:
On 05/04/2015 09:38 PM, Janelle wrote:
If the user is enabled for OTP his credential are sent differently
than in the case when it is not enabled. Effectively instead of
using encrypted timestamp the password and OTP are sent to the
server as data. But they can't be sent in clear. You need to encrypt
the data. To encrypt it you need another key - the host key. The
encryption of the data in this context is called tunneling . FAST is
the Kerberos protocol feature to provide tunneling of the data sent
over the wire. To use FAST one needs to use -T on the kinit command
On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
Ok, this did give me an idea (Thanks Nathaniel) -- the account
was set for BOTH "password" and OTP.
Apparently setting both does nothing. Yes a user can login with
their password-only, but trying to use kinit does not work.
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
Happy Star Wars Day!
May the Fourth be with you!
So I have a strange Kerberos problem trying to figure out. On a
CLIENT, (CentOS 7.1) if I login to account "usera" they get a
expected. However, if I login to a 6.6 client, it doesn't seem to
Both were enrolled the same, obviously one is newer.
Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
root, bypassing kerberos, and then do "kinit admin" it works just
But if I do "kinit usera" I get:
kinit: Generic preauthentication failure while getting initial
Which makes no sense. The account works with a 7.1 client but not a
client?? And yet "admin" works, no matter what. What am I missing
If I had to guess, usera is enabled for OTP-only login. Is that
If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).
I am not sure I understand where the FAST support or the -T option
is to be applied. On kinit? That does not seem correct. Perhaps I
am misunderstanding this option?
Does this help?
It helps -- thank you.
Now allow me to add a little more fun, and there may not be a
principal" and it works, gives me a ticket, and if I attempt to login
to the web interface, since I already have my ticket - boom, works
From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server
Now, I enable 2FA and setup a token and change my account to OTP (with
TOTP). But as previously discussed, can't seem to specify a -T option
from OS X.
I know this sounds tricky -- Any ideas?
kinit --fast-armor-cache /path/to/ccache
to specify already existing ccache to armor the FAST processing.
This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
You can check version number by running 'kinit --version'.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project