[Freeipa-users] Install radius but fail to start in centos7
yum install freeradius freeradius-utils freeradius-ldap freeradius-krb5 succesfuuly. But cannot start with following error and idea? : Unregistered Authentication Agent for unix-process:12922:607417 (system bus name :1.53, object path /org/freedesktop/PolicyKit1/Au ref doc: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 thx ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: kinit -n asking for password on clients
On su, 11 helmi 2018, John Ratliff via FreeIPA-users wrote: When trying to do pkinit, if I do kinit -n on one of the IdM servers, it works fine. If I try on a client machine, it asks me for the password for WELLKNOWN/ANONYMOUS@REALM. I have the pkinit_anchors setup for the realm. As I'm trying to do anonymous pkinit, I think I don't need a client certificate. On the server, I get this: $ KRB5_TRACE="/dev/stderr" kinit -n [13061] 1518402857.924212: Getting initial credentials for WELLKNOWN/anonym...@idm.example.com [13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM [13061] 1518402857.931830: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402857.939162: Received answer (359 bytes) from stream 10.77.9.101:88 [13061] 1518402857.939180: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.939284: Response was from master KDC [13061] 1518402857.939380: Received error from KDC: -1765328359/Additional pre-authentication required [13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402857.939509: Received cookie: MIT [13061] 1518402857.939563: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum 9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143 [13061] 1518402857.940369: PKINIT client making DH request [13061] 1518402858.935: Preauth module pkinit (16) (real) returned: 0/Success [13061] 1518402858.956: Produced preauth for next request: 133, 16 [13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM [13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402858.43063: Received answer (2880 bytes) from stream 10.77.9.101:88 [13061] 1518402858.43088: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.43198: Response was from master KDC [13061] 1518402858.43258: Processing preauth types: 17, 19, 147 [13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402858.43300: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402858.44150: PKINIT client verified DH reply [13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/idm.example@idm.example.com [13061] 1518402858.44199: PKINIT client matched KDC principal krbtgt/idm.example@idm.example.com against id-pkinit-san; no EKU check required [13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/00E0 [13061] 1518402858.62395: Preauth module pkinit (17) (real) returned: 0/Success [13061] 1518402858.62402: Produced preauth for next request: (empty) [13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0 [13061] 1518402858.62547: Decrypted AS reply; session key is: aes256-cts/96F0 [13061] 1518402858.62589: FAST negotiation: available [13061] 1518402858.62692: Initializing KEYRING:persistent:76047:krb_ccache_f3PFEy1 with default princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS [13061] 1518402858.62770: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/idm.example@idm.example.com in KEYRING:persistent:76047:krb_ccache_f3PFEy1 [13061] 1518402858.62846: Storing config in KEYRING:persistent:76047:krb_ccache_f3PFEy1 for krbtgt/idm.example@idm.example.com: fast_avail: yes [13061] 1518402858.62878: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:76047:krb_ccache_f3PFEy1 [13061] 1518402858.62933: Storing config in KEYRING:persistent:76047:krb_ccache_f3PFEy1 for krbtgt/idm.example@idm.example.com: pa_type: 16 [13061] 1518402858.62954: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:76047:krb_ccache_f3PFEy1 But on the client, I get this: $ KRB5_TRACE="/dev/stderr" kinit -n [2941] 1518402820.155827: Getting initial credentials for WELLKNOWN/anonym...@idm.example.com [2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM [2941] 1518402820.158723: Resolving hostname paine.example.com. [2941] 1518402820.159975: Resolving hostname phantom.example.com. [2941] 1518402820.160757: Resolving hostname paine.example.com. [2941] 1518402820.161411: Initiating TCP connection to stream 204.89.253.101:88 [2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88 [2941] 1518402820.168495: Received answer (359 bytes) from stream 204.89.253.101:88 [2941] 1518402820.168532: Terminating TCP
[Freeipa-users] kinit -n asking for password on clients
When trying to do pkinit, if I do kinit -n on one of the IdM servers, it works fine. If I try on a client machine, it asks me for the password for WELLKNOWN/ANONYMOUS@REALM. I have the pkinit_anchors setup for the realm. As I'm trying to do anonymous pkinit, I think I don't need a client certificate. On the server, I get this: $ KRB5_TRACE="/dev/stderr" kinit -n [13061] 1518402857.924212: Getting initial credentials for WELLKNOWN/anonym...@idm.example.com [13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM [13061] 1518402857.931830: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402857.939162: Received answer (359 bytes) from stream 10.77.9.101:88 [13061] 1518402857.939180: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402857.939284: Response was from master KDC [13061] 1518402857.939380: Received error from KDC: -1765328359/Additional pre-authentication required [13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 [13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402857.939509: Received cookie: MIT [13061] 1518402857.939563: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum 9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143 [13061] 1518402857.940369: PKINIT client making DH request [13061] 1518402858.935: Preauth module pkinit (16) (real) returned: 0/Success [13061] 1518402858.956: Produced preauth for next request: 133, 16 [13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM [13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88 [13061] 1518402858.43063: Received answer (2880 bytes) from stream 10.77.9.101:88 [13061] 1518402858.43088: Terminating TCP connection to stream 10.77.9.101:88 [13061] 1518402858.43198: Response was from master KDC [13061] 1518402858.43258: Processing preauth types: 17, 19, 147 [13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt "IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params "" [13061] 1518402858.43300: Preauth module pkinit (147) (info) returned: 0/Success [13061] 1518402858.44150: PKINIT client verified DH reply [13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert: krbtgt/idm.example@idm.example.com [13061] 1518402858.44199: PKINIT client matched KDC principal krbtgt/idm.example@idm.example.com against id-pkinit-san; no EKU check required [13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/00E0 [13061] 1518402858.62395: Preauth module pkinit (17) (real) returned: 0/Success [13061] 1518402858.62402: Produced preauth for next request: (empty) [13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0 [13061] 1518402858.62547: Decrypted AS reply; session key is: aes256-cts/96F0 [13061] 1518402858.62589: FAST negotiation: available [13061] 1518402858.62692: Initializing KEYRING:persistent:76047:krb_ccache_f3PFEy1 with default princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS [13061] 1518402858.62770: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/idm.example@idm.example.com in KEYRING:persistent:76047:krb_ccache_f3PFEy1 [13061] 1518402858.62846: Storing config in KEYRING:persistent:76047:krb_ccache_f3PFEy1 for krbtgt/idm.example@idm.example.com: fast_avail: yes [13061] 1518402858.62878: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:76047:krb_ccache_f3PFEy1 [13061] 1518402858.62933: Storing config in KEYRING:persistent:76047:krb_ccache_f3PFEy1 for krbtgt/idm.example@idm.example.com: pa_type: 16 [13061] 1518402858.62954: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: in KEYRING:persistent:76047:krb_ccache_f3PFEy1 But on the client, I get this: $ KRB5_TRACE="/dev/stderr" kinit -n [2941] 1518402820.155827: Getting initial credentials for WELLKNOWN/anonym...@idm.example.com [2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM [2941] 1518402820.158723: Resolving hostname paine.example.com. [2941] 1518402820.159975: Resolving hostname phantom.example.com. [2941] 1518402820.160757: Resolving hostname paine.example.com. [2941] 1518402820.161411: Initiating TCP connection to stream 204.89.253.101:88 [2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88 [2941] 1518402820.168495: Received answer (359 bytes) from stream 204.89.253.101:88 [2941] 1518402820.168532: Terminating TCP connection to stream 204.89.253.101:88 [2941]
[Freeipa-users] Re: 2FA and kinit
On 2/11/2018 7:34 PM, John Ratliff via FreeIPA-users wrote: I don't see anything useful in the logs. If I login with my key via ssh and then do a su - jratliff, it gets me a token. I don't know what su - is doing that the kinit -n steps I saw isn't, but I guess this is a workaround. su - as non-root would run PAM stack for you through pam_sss and thus SSSD would do a dance, using host principal for a FAST channel and then your principal to obtain actual ticket using your creds. Do you have ideas of what logs specifically I should check? I posted the output of the trace, but it didn't mean much to me. The trace you published is client-side. Robbie asked for the server logs. Can you check /var/log/krb5kdc.log on the server during the time you did that request from the client? It would show which requests this particular client did send. Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: NEEDED_PREAUTH: host/master.smithville@idm.smithville.com for krbtgt/idm.smithville@idm.smithville.com, Additional pre-authentication required Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): closing down fd 11 Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): preauth (otp) verify failure: Generic preauthentication failure Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: PREAUTH_FAILED: jratl...@idm.smithville.com for krbtgt/idm.smithville@idm.smithville.com, Preauthentication failed Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): closing down fd 11 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Nevermind. It seems to be working fine now. I'm not sure what I was doing wrong earlier. Thanks. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: 2FA and kinit
I don't see anything useful in the logs. If I login with my key via ssh and then do a su - jratliff, it gets me a token. I don't know what su - is doing that the kinit -n steps I saw isn't, but I guess this is a workaround. su - as non-root would run PAM stack for you through pam_sss and thus SSSD would do a dance, using host principal for a FAST channel and then your principal to obtain actual ticket using your creds. Do you have ideas of what logs specifically I should check? I posted the output of the trace, but it didn't mean much to me. The trace you published is client-side. Robbie asked for the server logs. Can you check /var/log/krb5kdc.log on the server during the time you did that request from the client? It would show which requests this particular client did send. Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: NEEDED_PREAUTH: host/master.smithville@idm.smithville.com for krbtgt/idm.smithville@idm.smithville.com, Additional pre-authentication required Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): closing down fd 11 Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): preauth (otp) verify failure: Generic preauthentication failure Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: PREAUTH_FAILED: jratl...@idm.smithville.com for krbtgt/idm.smithville@idm.smithville.com, Preauthentication failed Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): closing down fd 11 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: 2FA and kinit
On la, 10 helmi 2018, John Ratliff via FreeIPA-users wrote: On 2/6/2018 5:04 PM, Robbie Harwood wrote: John Ratliff via FreeIPA-userswrites: I'm having problems with kinit and a 2FA enabled account. When I run kinit by itself, it says 'kinit: Generic preauthentication failure while getting initial credentials'. I saw on the wiki where that problem is solved by doing one of two things. You can login with the admin account (or some other non-2FA account). When I do that, it asks for the OTP, but then I get a similar error message: $ klist Ticket cache: FILE:/tmp/krb5cc_76047 Default principal: ad...@idm.xxx.net Valid starting Expires Service principal 02/06/2018 15:58:04 02/07/2018 15:57:52 krbtgt/idm.xxx@idm.xxx.net $ kinit -T FILE:/tmp/krb5cc_76047 jratliff Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials The same thing happens when I try to do the anonymous authentication. I put the output of KRB5_TRACE here https://pastebin.com/jpPDVUXi This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian 9 IdM client machine. Maybe take a look at the server logs and see if there's anything there. Thanks, --Robbie I don't see anything useful in the logs. If I login with my key via ssh and then do a su - jratliff, it gets me a token. I don't know what su - is doing that the kinit -n steps I saw isn't, but I guess this is a workaround. su - as non-root would run PAM stack for you through pam_sss and thus SSSD would do a dance, using host principal for a FAST channel and then your principal to obtain actual ticket using your creds. Do you have ideas of what logs specifically I should check? I posted the output of the trace, but it didn't mean much to me. The trace you published is client-side. Robbie asked for the server logs. Can you check /var/log/krb5kdc.log on the server during the time you did that request from the client? It would show which requests this particular client did send. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org