On Mon, 18 May 2015, Janelle wrote:
On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
On Sun, 10 May 2015, Janelle wrote:
On 5/5/15 6:47 AM, Dmitri Pal wrote:
On 05/04/2015 09:38 PM, Janelle wrote:
On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
Happy Star Wars Day!
May the Fourth be with you!
So I have a strange Kerberos problem trying to figure out. On a
CLIENT, (CentOS 7.1) if I login to account "usera" they get a
ticket as
expected. However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.
Now, it gets stranger. The "servers" are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do "kinit admin" it works just
fine.
But if I do "kinit usera" I get:
kinit: Generic preauthentication failure while getting initial
credentials
Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet "admin" works, no matter what. What am I missing
here?
If I had to guess, usera is enabled for OTP-only login. Is that
correct?
If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).
Nathaniel
Ok, this did give me an idea (Thanks Nathaniel) -- the
account was set for BOTH "password" and OTP.
Apparently setting both does nothing. Yes a user can login
with their password-only, but trying to use kinit does not
work.
I am not sure I understand where the FAST support or the -T
option is to be applied. On kinit? That does not seem correct.
Perhaps I am misunderstanding this option?
~J
If the user is enabled for OTP his credential are sent
differently than in the case when it is not enabled. Effectively
instead of using encrypted timestamp the password and OTP are
sent to the server as data. But they can't be sent in clear. You
need to encrypt the data. To encrypt it you need another key -
the host key. The encryption of the data in this context is
called tunneling . FAST is the Kerberos protocol feature to
provide tunneling of the data sent over the wire. To use FAST
one needs to use -T on the kinit command line.
Does this help?
It helps -- thank you.
Now allow me to add a little more fun, and there may not be a solution.
From OS X (Yosemite) I am able to "kinit --kdc-hostname=IPA-server
principal" and it works, gives me a ticket, and if I attempt to
login to the web interface, since I already have my ticket - boom,
works fine.
Now, I enable 2FA and setup a token and change my account to OTP
(with TOTP). But as previously discussed, can't seem to specify a
-T option from OS X.
I know this sounds tricky -- Any ideas?
Use
kinit --fast-armor-cache /path/to/ccache to specify already
existing ccache to armor the FAST processing.
This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
You can check version number by running 'kinit --version'.
Aha, so thee default on OS X Yosemite is
$ kinit --version
kinit (Heimdal 1.5.1apple1)
so this won't work?
Yes, you have to have the feature in your Kerberos library.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project