On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote:
> On our current IPA realm where we have not used 2-factor, we’ve been able to
> kinit to our FreeIPA realm from our laptops. All a Mac user needed to do,
> for example was to configure a ‘krb5.conf’ file and then ‘kinit
> us...@our.ipa.realm.com <mailto:us...@our.ipa.realm.com>'. This would allow
> us to work on our infrastructure without having to re-authenticate for the
> lifetime of our ticket-granting-ticket, usually the length of a work day.
> We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring
> 2-factor for authentication. So far it works well, meaning we can ssh to a
> jump host enrolled in our realm and from there move to other hosts in the
> realm without having to re-authenticate.
> However, we can no longer ‘kinit’. I’ve dug around in the webs and have
> concluded that either this is a known issue that is not yet fixed, or perhaps
> someone has fixed it but not yet shared how they got this to work.
This is expected behaviour. See
http://www.freeipa.org/page/V4/OTP for details especially
Unfortunately in general you do not have a second ccache which can be
used to get the needed armor ticket for FAST.
There is ongoing work on SPAKE
also anonymous pkinit on the IPA side to lift the requirement but
currently FAST and a second ccache are needed for OTP.
> How is this impacting anyone else? Does anyone have any helpful information
> they can share?
> Geordie Grindle
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project