date:20180211

[Freeipa-users] Install radius but fail to start in centos7

2018-02-11 Thread barrykfl--- via FreeIPA-users

yum install freeradius freeradius-utils freeradius-ldap freeradius-krb5
succesfuuly.

But cannot start with following error and idea?

: Unregistered Authentication Agent for unix-process:12922:607417 (system
bus name :1.53, object path /org/freedesktop/PolicyKit1/Au

ref doc:
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7

thx
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: kinit -n asking for password on clients

2018-02-11 Thread Alexander Bokovoy via FreeIPA-users


On su, 11 helmi 2018, John Ratliff via FreeIPA-users wrote:
When trying to do pkinit, if I do kinit -n on one of the IdM servers, 
it works fine. If I try on a client machine, it asks me for the 
password for WELLKNOWN/ANONYMOUS@REALM.


I have the pkinit_anchors setup for the realm. As I'm trying to do 
anonymous pkinit, I think I don't need a client certificate.


On the server, I get this:

$ KRB5_TRACE="/dev/stderr" kinit -n
[13061] 1518402857.924212: Getting initial credentials for 
WELLKNOWN/anonym...@idm.example.com

[13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM
[13061] 1518402857.931830: Initiating TCP connection to stream 
10.77.9.101:88

[13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402857.939162: Received answer (359 bytes) from stream 
10.77.9.101:88
[13061] 1518402857.939180: Terminating TCP connection to stream 
10.77.9.101:88

[13061] 1518402857.939284: Response was from master KDC
[13061] 1518402857.939380: Received error from KDC: 
-1765328359/Additional pre-authentication required
[13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136, 
19, 147, 2, 133
[13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt 
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""

[13061] 1518402857.939509: Received cookie: MIT
[13061] 1518402857.939563: Preauth module pkinit (147) (info) 
returned: 0/Success
[13061] 1518402857.940352: PKINIT client computed kdc-req-body 
checksum 9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143

[13061] 1518402857.940369: PKINIT client making DH request
[13061] 1518402858.935: Preauth module pkinit (16) (real) returned: 
0/Success

[13061] 1518402858.956: Produced preauth for next request: 133, 16
[13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM
[13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88
[13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402858.43063: Received answer (2880 bytes) from stream 
10.77.9.101:88
[13061] 1518402858.43088: Terminating TCP connection to stream 
10.77.9.101:88

[13061] 1518402858.43198: Response was from master KDC
[13061] 1518402858.43258: Processing preauth types: 17, 19, 147
[13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt 
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[13061] 1518402858.43300: Preauth module pkinit (147) (info) returned: 
0/Success

[13061] 1518402858.44150: PKINIT client verified DH reply
[13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC 
cert: krbtgt/idm.example@idm.example.com
[13061] 1518402858.44199: PKINIT client matched KDC principal 
krbtgt/idm.example@idm.example.com against id-pkinit-san; no EKU 
check required
[13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to 
compute reply key aes256-cts/00E0
[13061] 1518402858.62395: Preauth module pkinit (17) (real) returned: 
0/Success

[13061] 1518402858.62402: Produced preauth for next request: (empty)
[13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0
[13061] 1518402858.62547: Decrypted AS reply; session key is: 
aes256-cts/96F0

[13061] 1518402858.62589: FAST negotiation: available
[13061] 1518402858.62692: Initializing 
KEYRING:persistent:76047:krb_ccache_f3PFEy1 with default princ 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
[13061] 1518402858.62770: Storing 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> 
krbtgt/idm.example@idm.example.com in 
KEYRING:persistent:76047:krb_ccache_f3PFEy1
[13061] 1518402858.62846: Storing config in 
KEYRING:persistent:76047:krb_ccache_f3PFEy1 for 
krbtgt/idm.example@idm.example.com: fast_avail: yes
[13061] 1518402858.62878: Storing 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: 
in KEYRING:persistent:76047:krb_ccache_f3PFEy1
[13061] 1518402858.62933: Storing config in 
KEYRING:persistent:76047:krb_ccache_f3PFEy1 for 
krbtgt/idm.example@idm.example.com: pa_type: 16
[13061] 1518402858.62954: Storing 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: 
in KEYRING:persistent:76047:krb_ccache_f3PFEy1



But on the client, I get this:

$ KRB5_TRACE="/dev/stderr" kinit -n
[2941] 1518402820.155827: Getting initial credentials for 
WELLKNOWN/anonym...@idm.example.com

[2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM
[2941] 1518402820.158723: Resolving hostname paine.example.com.
[2941] 1518402820.159975: Resolving hostname phantom.example.com.
[2941] 1518402820.160757: Resolving hostname paine.example.com.
[2941] 1518402820.161411: Initiating TCP connection to stream 
204.89.253.101:88

[2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88
[2941] 1518402820.168495: Received answer (359 bytes) from stream 
204.89.253.101:88
[2941] 1518402820.168532: Terminating TCP

[Freeipa-users] kinit -n asking for password on clients

2018-02-11 Thread John Ratliff via FreeIPA-users

When trying to do pkinit, if I do kinit -n on one of the IdM servers, it 
works fine. If I try on a client machine, it asks me for the password 
for WELLKNOWN/ANONYMOUS@REALM.


I have the pkinit_anchors setup for the realm. As I'm trying to do 
anonymous pkinit, I think I don't need a client certificate.


On the server, I get this:

$ KRB5_TRACE="/dev/stderr" kinit -n
[13061] 1518402857.924212: Getting initial credentials for 
WELLKNOWN/anonym...@idm.example.com

[13061] 1518402857.929673: Sending request (200 bytes) to IDM.EXAMPLE.COM
[13061] 1518402857.931830: Initiating TCP connection to stream 
10.77.9.101:88

[13061] 1518402857.932241: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402857.939162: Received answer (359 bytes) from stream 
10.77.9.101:88
[13061] 1518402857.939180: Terminating TCP connection to stream 
10.77.9.101:88

[13061] 1518402857.939284: Response was from master KDC
[13061] 1518402857.939380: Received error from KDC: 
-1765328359/Additional pre-authentication required
[13061] 1518402857.939474: Processing preauth types: 16, 15, 14, 136, 
19, 147, 2, 133
[13061] 1518402857.939499: Selected etype info: etype aes256-cts, salt 
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""

[13061] 1518402857.939509: Received cookie: MIT
[13061] 1518402857.939563: Preauth module pkinit (147) (info) returned: 
0/Success
[13061] 1518402857.940352: PKINIT client computed kdc-req-body checksum 
9/D98A0144E7E4ACC66B63EBCA98379AB9F055D143

[13061] 1518402857.940369: PKINIT client making DH request
[13061] 1518402858.935: Preauth module pkinit (16) (real) returned: 
0/Success

[13061] 1518402858.956: Produced preauth for next request: 133, 16
[13061] 1518402858.994: Sending request (1408 bytes) to IDM.EXAMPLE.COM
[13061] 1518402858.1091: Initiating TCP connection to stream 10.77.9.101:88
[13061] 1518402858.1187: Sending TCP request to stream 10.77.9.101:88
[13061] 1518402858.43063: Received answer (2880 bytes) from stream 
10.77.9.101:88
[13061] 1518402858.43088: Terminating TCP connection to stream 
10.77.9.101:88

[13061] 1518402858.43198: Response was from master KDC
[13061] 1518402858.43258: Processing preauth types: 17, 19, 147
[13061] 1518402858.43273: Selected etype info: etype aes256-cts, salt 
"IDM.EXAMPLE.COMWELLKNOWNANONYMOUS", params ""
[13061] 1518402858.43300: Preauth module pkinit (147) (info) returned: 
0/Success

[13061] 1518402858.44150: PKINIT client verified DH reply
[13061] 1518402858.44189: PKINIT client found id-pkinit-san in KDC cert: 
krbtgt/idm.example@idm.example.com
[13061] 1518402858.44199: PKINIT client matched KDC principal 
krbtgt/idm.example@idm.example.com against id-pkinit-san; no EKU 
check required
[13061] 1518402858.62345: PKINIT client used KDF 2B06010502030602 to 
compute reply key aes256-cts/00E0
[13061] 1518402858.62395: Preauth module pkinit (17) (real) returned: 
0/Success

[13061] 1518402858.62402: Produced preauth for next request: (empty)
[13061] 1518402858.62414: AS key determined by preauth: aes256-cts/00E0
[13061] 1518402858.62547: Decrypted AS reply; session key is: 
aes256-cts/96F0

[13061] 1518402858.62589: FAST negotiation: available
[13061] 1518402858.62692: Initializing 
KEYRING:persistent:76047:krb_ccache_f3PFEy1 with default princ 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
[13061] 1518402858.62770: Storing 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> 
krbtgt/idm.example@idm.example.com in 
KEYRING:persistent:76047:krb_ccache_f3PFEy1
[13061] 1518402858.62846: Storing config in 
KEYRING:persistent:76047:krb_ccache_f3PFEy1 for 
krbtgt/idm.example@idm.example.com: fast_avail: yes
[13061] 1518402858.62878: Storing 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> 
krb5_ccache_conf_data/fast_avail/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: 
in KEYRING:persistent:76047:krb_ccache_f3PFEy1
[13061] 1518402858.62933: Storing config in 
KEYRING:persistent:76047:krb_ccache_f3PFEy1 for 
krbtgt/idm.example@idm.example.com: pa_type: 16
[13061] 1518402858.62954: Storing 
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> 
krb5_ccache_conf_data/pa_type/krbtgt\/IDM.EXAMPLE.COM\@IDM.EXAMPLE.COM@X-CACHECONF: 
in KEYRING:persistent:76047:krb_ccache_f3PFEy1



But on the client, I get this:

$ KRB5_TRACE="/dev/stderr" kinit -n
[2941] 1518402820.155827: Getting initial credentials for 
WELLKNOWN/anonym...@idm.example.com

[2941] 1518402820.156298: Sending request (200 bytes) to IDM.EXAMPLE.COM
[2941] 1518402820.158723: Resolving hostname paine.example.com.
[2941] 1518402820.159975: Resolving hostname phantom.example.com.
[2941] 1518402820.160757: Resolving hostname paine.example.com.
[2941] 1518402820.161411: Initiating TCP connection to stream 
204.89.253.101:88

[2941] 1518402820.162065: Sending TCP request to stream 204.89.253.101:88
[2941] 1518402820.168495: Received answer (359 bytes) from stream 
204.89.253.101:88
[2941] 1518402820.168532: Terminating TCP connection to stream 
204.89.253.101:88

[2941]

[Freeipa-users] Re: 2FA and kinit

2018-02-11 Thread John Ratliff via FreeIPA-users


On 2/11/2018 7:34 PM, John Ratliff via FreeIPA-users wrote:




I don't see anything useful in the logs. If I login with my key via 
ssh and then do a su - jratliff, it gets me a token. I don't know 
what su - is doing that the kinit -n steps I saw isn't, but I guess 
this is a workaround.

su - as non-root would run PAM stack for you through pam_sss and thus
SSSD would do a dance, using host principal for a FAST channel and then
your principal to obtain actual ticket using your creds.

Do you have ideas of what logs specifically I should check? I posted 
the output of the trace, but it didn't mean much to me.

The trace you published is client-side. Robbie asked for the server
logs. Can you check /var/log/krb5kdc.log on the server during the time
you did that request from the client? It would show which requests this
particular client did send.



Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: NEEDED_PREAUTH: 
host/master.smithville@idm.smithville.com for 
krbtgt/idm.smithville@idm.smithville.com, Additional 
pre-authentication required
Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): closing down 
fd 11
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): preauth 
(otp) verify failure: Generic preauthentication failure
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: PREAUTH_FAILED: 
jratl...@idm.smithville.com for 
krbtgt/idm.smithville@idm.smithville.com, Preauthentication failed
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): closing down 
fd 11

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Nevermind. It seems to be working fine now. I'm not sure what I was 
doing wrong earlier.


Thanks.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: 2FA and kinit

2018-02-11 Thread John Ratliff via FreeIPA-users





I don't see anything useful in the logs. If I login with my key via 
ssh and then do a su - jratliff, it gets me a token. I don't know what 
su - is doing that the kinit -n steps I saw isn't, but I guess this is 
a workaround.

su - as non-root would run PAM stack for you through pam_sss and thus
SSSD would do a dance, using host principal for a FAST channel and then
your principal to obtain actual ticket using your creds.

Do you have ideas of what logs specifically I should check? I posted 
the output of the trace, but it didn't mean much to me.

The trace you published is client-side. Robbie asked for the server
logs. Can you check /var/log/krb5kdc.log on the server during the time
you did that request from the client? It would show which requests this
particular client did send.



Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: NEEDED_PREAUTH: 
host/master.smithville@idm.smithville.com for 
krbtgt/idm.smithville@idm.smithville.com, Additional 
pre-authentication required
Feb 11 19:29:18 phantom.smithville.com krb5kdc[1372](info): closing down 
fd 11
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): preauth 
(otp) verify failure: Generic preauthentication failure
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): AS_REQ (8 
etypes {18 17 20 19 16 23 25 26}) 204.89.253.111: PREAUTH_FAILED: 
jratl...@idm.smithville.com for 
krbtgt/idm.smithville@idm.smithville.com, Preauthentication failed
Feb 11 19:29:32 phantom.smithville.com krb5kdc[1372](info): closing down 
fd 11

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: 2FA and kinit

2018-02-11 Thread Alexander Bokovoy via FreeIPA-users


On la, 10 helmi 2018, John Ratliff via FreeIPA-users wrote:

On 2/6/2018 5:04 PM, Robbie Harwood wrote:

John Ratliff via FreeIPA-users 
writes:


I'm having problems with kinit and a 2FA enabled account.

When I run kinit by itself, it says 'kinit: Generic preauthentication
failure while getting initial credentials'.

I saw on the wiki where that problem is solved by doing one of two
things. You can login with the admin account (or some other non-2FA
account). When I do that, it asks for the OTP, but then I get a similar
error message:

$ klist
Ticket cache: FILE:/tmp/krb5cc_76047
Default principal: ad...@idm.xxx.net

Valid starting   Expires  Service principal
02/06/2018 15:58:04  02/07/2018 15:57:52  krbtgt/idm.xxx@idm.xxx.net

$ kinit -T FILE:/tmp/krb5cc_76047 jratliff
Enter OTP Token Value:
kinit: Preauthentication failed while getting initial credentials

The same thing happens when I try to do the anonymous authentication.

I put the output of KRB5_TRACE here https://pastebin.com/jpPDVUXi

This happens on the CentOS 7.4 IdM server (Running 4.5 IPA) and a Debian
9 IdM client machine.


Maybe take a look at the server logs and see if there's anything there.

Thanks,
--Robbie



I don't see anything useful in the logs. If I login with my key via 
ssh and then do a su - jratliff, it gets me a token. I don't know what 
su - is doing that the kinit -n steps I saw isn't, but I guess this is 
a workaround.

su - as non-root would run PAM stack for you through pam_sss and thus
SSSD would do a dance, using host principal for a FAST channel and then
your principal to obtain actual ticket using your creds.

Do you have ideas of what logs specifically I should check? I posted 
the output of the trace, but it didn't mean much to me.

The trace you published is client-side. Robbie asked for the server
logs. Can you check /var/log/krb5kdc.log on the server during the time
you did that request from the client? It would show which requests this
particular client did send.

--
/ Alexander Bokovoy
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Install radius but fail to start in centos7

[Freeipa-users] Re: kinit -n asking for password on clients

[Freeipa-users] kinit -n asking for password on clients

[Freeipa-users] Re: 2FA and kinit

[Freeipa-users] Re: 2FA and kinit

[Freeipa-users] Re: 2FA and kinit

6 matches

Site Navigation

Mail list logo

Footer information