Re: [Freeipa-users] FreeIPA4 OTP vs PAM
Reviving this as I am still stuck with CentOS 6. CentOS 6.6 now has sssd 1.11 - yet I still cannot get the OTP to work under PAM: I created a test user and added an otp. User works fine without the OTP, however I keep getting this when trying to test with OTP via pamtester: pamtester: pam_sss(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=michael pamtester: pam_sss(login:auth): received for user michael: 17 (Failure setting user credentials) Is there a way to get more information as to what is going on? Is my expectation that I would provide otp in a form of password123456 correct (assuming my password is password and otp token is 123456)? On Fri, Aug 15, 2014 at 2:29 AM, Michael Lasevich mlasev...@lasevich.net wrote: Thanks, glad I asked before wasting time. On Fri, Aug 15, 2014 at 1:07 AM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote: I did not dive into this yet, but before I waste too much time I wanted to ask if centos 6.5 default ipa client expected to work with 2FA or not. No it's not, sorry. The 6.5 client is SSSD 1.9.x and there's a couple of fixes that landed during the 1.11 development such as: https://fedorahosted.org/sssd/ticket/2186 or: https://fedorahosted.org/sssd/ticket/2271 plus some other commits I see in git log which don't reference any ticket. I'd suggest to test using a centos 7.0 client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Freeipa and EDUROAM
Hi, I am an EDUROAM administrator. We use openldap, but i would like to migrate to freeipa. Has anyone done this before? Any help would be greatly appreciated. -- Cosme Faria Corrêa -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA4 OTP vs PAM
I got some extra log output: seems that FAST IS being used. I am running SSSD 1.11.6, which is supposed to have above mentioned issues fixed: Log: = (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [find_principal_in_keytab] (0x4000): Trying to find principal host/ ipaclient.my.domain@my.domain.com in keytab. (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [match_principal] (0x1000): Principal matched to the sample (host/ ipaclient.my.domain@my.domain.com). (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361296: Retrieving host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: 0/Success (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [main] (0x0400): Will perform online auth (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [tgt_req_child] (0x1000): Attempting to get a TGT (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MY.DOMAIN.COM] (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361440: Getting initial credentials for mich...@my.domain.com (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361508: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361575: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361648: Sending request (188 bytes) to MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361842: Sending initial UDP request to dgram 1.1.1.2:88 (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365901: Received answer from dgram 1.1.1.2:88 (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365981: Response was from master KDC (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366020: Received error from KDC: -1765328359/Additional pre-authentication required (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366051: Upgrading to FAST due to presence of PA_FX_FAST in reply (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366075: Restarting to upgrade to FAST (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366102: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366161: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366191: Upgrading to FAST due to presence of PA_FX_FAST in reply (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366215: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366267: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366322: Getting credentials host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com using ccache FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366380: Retrieving host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: 0/Success (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451]
Re: [Freeipa-users] Freeipa and EDUROAM
On Sun, Nov 23, 2014 at 8:51 AM, Cosme Corrêa cosm...@gmail.com wrote: Hi, I am an EDUROAM administrator. We use openldap, but i would like to migrate to freeipa. Has anyone done this before? Any help would be greatly appreciated. can you help define what eduroam is? are you referring to the federated wireless network infrastructures being deployed by universities around the world? -- Cosme Faria Corrêa -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] curious about monkeysphere
Im curious about monkeysphere http://web.monkeysphere.info/ and how it might compare, integrate, enhance freeipa . any thoughts, or ideas, or is what it does basically already covered via freeipa? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project