On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote:
> 
> Hello,
> 
> On our current IPA realm where we have not used 2-factor, we’ve been able to 
> kinit to our FreeIPA realm from our laptops.  All a Mac user needed to do, 
> for example was to configure a ‘krb5.conf’ file and then ‘kinit 
> us...@our.ipa.realm.com <mailto:us...@our.ipa.realm.com>'. This would allow 
> us to work on our infrastructure without having to re-authenticate for the 
> lifetime of our ticket-granting-ticket, usually the length of a work day.
> 
> We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring 
> 2-factor for authentication. So far it works well, meaning we can ssh to a 
> jump host enrolled in our realm and from there move to other hosts in the 
> realm without having to re-authenticate.
> 
> However, we can no longer ‘kinit’. I’ve dug around in the webs and have 
> concluded that either this is a known issue that is not yet fixed, or perhaps 
> someone has fixed it but not yet shared how they got this to work.

This is expected behaviour. See
http://www.freeipa.org/page/V4/OTP for details especially
http://www.freeipa.org/page/V4/OTP#kinit_Method.

Unfortunately in general you do not have a second ccache which can be
used to get the needed armor ticket for FAST. 

There is ongoing work on SPAKE
http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs and
also anonymous pkinit on the IPA side to lift the requirement but
currently FAST and a second ccache are needed for OTP.

HTH

bye,
Sumit

> 
> How is this impacting anyone else? Does anyone have any helpful information 
> they can share?
> 
> thanks,
> Geordie Grindle
> 
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to