Tommy Nikjoo <tommy.nik...@armourcomms.com> writes:
> I'm having some issues with 2FA PAM config's on Ubuntu clients.
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol. Is anyone able to give an in site into how to get
> this working correctly?
I'm not finished with my quest, but I think I got at least some hints.
Right now I'm not trying with pam/sss, but with kinit alone. I do have
two IPA servers and in the default configuration I see:
$ KRB5_TRACE=/dev/stderr kinit -T KEYRING:persistent:1004:krb_ccache_UhNqkJ3
 1488197822.55857: Resolving hostname freeipa1.example.org.
 1488197822.57587: Sending initial UDP request to dgram 192.168.30.121:88
 1488197822.60106: Received answer (546 bytes) from dgram
 1488197822.60994: Response was from master KDC
 1488197822.61069: Received error from KDC: -1765328359/zusätzlich
 1488197822.61093: Decoding FAST response
 1488197822.61282: Processing preauth types: 136, 141, 133, 137
 1488197822.61298: Received cookie: MIT
Enter your OTP password:
 1488197829.991232: Preauth module otp (141) (real) returned: 0/Success
 1488197829.991271: Produced preauth for next request: 133, 142
 1488197829.991289: Encoding request body and padata into FAST request
 1488197829.991518: Sending request (1221 bytes) to EXAMPLE.ORG
 1488197829.993141: Resolving hostname freeipa1.example.org.
 1488197829.993873: Sending initial UDP request to dgram
 1488197830.994965: Resolving hostname freeipa2.example.org.
 1488197830.995866: Sending initial UDP request to dgram
 1488197831.128141: Received answer (546 bytes) from dgram
 1488197831.129630: Response was from master KDC
 1488197831.129731: Received error from KDC:
 1488197831.129764: Decoding FAST response
 1488197831.129953: Preauth tryagain input types: 136, 141, 133, 137
kinit: Vorauthentifizierung fehlgeschlagen bei Anfängliche Anmeldedaten werden
We ask the first ipa server for preauth, after I've entered the
password+OTP we ask the first server with UDP, but don't get an answer
within one second. So we ask the other server. Shortly after we get the
answer from the first server.
If I use only one KDC in krb5.conf:
dns_lookup_kdc = false
kdc = freeipa1.example.org
we only ask that server and get the correct answer.
So I see two questions for now:
- Why do we ask both servers with such a short timeout?
- Why do we use UDP when using dns_lookup_kdc, even if I have
"udp_preference_limit = 1" set?
My FreeIPA servers ask themselves, so they don't use DNS. I'll try to check a
Hm, one CentOS client has krb5-workstation-1.14.1-27.el7_3.x86_64 and works
My Debian host I analyzed here has krb5-user 1.15-1.
The only problem with troubleshooting is that the trouble shoots back.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project