Tommy Nikjoo <> writes:

> I'm having some issues with 2FA PAM config's on Ubuntu clients. 
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol.  Is anyone able to give an in site into how to get
> this working correctly?

I'm not finished with my quest, but I think I got at least some hints.
Right now I'm not trying with pam/sss, but with kinit alone. I do have
two IPA servers and in the default configuration I see:

$ KRB5_TRACE=/dev/stderr kinit -T KEYRING:persistent:1004:krb_ccache_UhNqkJ3 
[15136] 1488197822.55857: Resolving hostname
[15136] 1488197822.57587: Sending initial UDP request to dgram
[15136] 1488197822.60106: Received answer (546 bytes) from dgram
[15136] 1488197822.60994: Response was from master KDC
[15136] 1488197822.61069: Received error from KDC: -1765328359/zusätzlich 
Vorauthentifizierung erforderlich
[15136] 1488197822.61093: Decoding FAST response
[15136] 1488197822.61282: Processing preauth types: 136, 141, 133, 137
[15136] 1488197822.61298: Received cookie: MIT
Enter your OTP password: 
[15136] 1488197829.991232: Preauth module otp (141) (real) returned: 0/Success
[15136] 1488197829.991271: Produced preauth for next request: 133, 142
[15136] 1488197829.991289: Encoding request body and padata into FAST request
[15136] 1488197829.991518: Sending request (1221 bytes) to EXAMPLE.ORG
[15136] 1488197829.993141: Resolving hostname
[15136] 1488197829.993873: Sending initial UDP request to dgram
[15136] 1488197830.994965: Resolving hostname
[15136] 1488197830.995866: Sending initial UDP request to dgram
[15136] 1488197831.128141: Received answer (546 bytes) from dgram
[15136] 1488197831.129630: Response was from master KDC
[15136] 1488197831.129731: Received error from KDC: 
-1765328360/Vorauthentifizierung fehlgeschlagen
[15136] 1488197831.129764: Decoding FAST response
[15136] 1488197831.129953: Preauth tryagain input types: 136, 141, 133, 137
kinit: Vorauthentifizierung fehlgeschlagen bei Anfängliche Anmeldedaten werden 

We ask the first ipa server for preauth, after I've entered the
password+OTP we ask the first server with UDP, but don't get an answer
within one second. So we ask the other server. Shortly after we get the
answer from the first server.

If I use only one KDC in krb5.conf:
  dns_lookup_kdc = false
    kdc =

we only ask that server and get the correct answer.

So I see two questions for now:
- Why do we ask both servers with such a short timeout?
- Why do we use UDP when using dns_lookup_kdc, even if I have 
"udp_preference_limit = 1" set?

My FreeIPA servers ask themselves, so they don't use DNS. I'll try to check a 
normal client.
Hm, one CentOS client has krb5-workstation-1.14.1-27.el7_3.x86_64 and works 
My Debian host I analyzed here has krb5-user 1.15-1.


The only problem with troubleshooting is that the trouble shoots back.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to