Re: [Freeipa-users] CentOS patch management on FreeIPA server

2017-05-17 Thread Lakshan Jayasekara 
Hi Chris,

Thanks for the update. Pl let me know any sort of configuration backup can be 
taken for IPA server. Also let me know the sequence of updating the systems, as 
I have IPA servers and a replica server in my infrastructure.

These are virtual servers and backing up before updating.


Best Regards,

Reply / Forwarded by
Lakshanth Chandika Jayasekara
Senior Systems Engineer

Confidentiality Notice: The information contained in this message is privileged 
and confidential information intended only for the use of the individual or 
entity named above. If the reader of this message is not the intended 
recipient, or the employee or agent responsible to deliver it to the intended 
recipient, you are hereby notified that any release, dissemination, 
distribution, or copying of this communication is strictly prohibited. If you 
have received this communication in error, please notify the author immediately 
by replying to this message and delete the original message. Internet 
communications cannot be guaranteed to be timely, secure, error or virus-free. 
The sender does not accept liability for any errors or omissions. This email 
has been scanned for all viruses by the Symantec End Point Protection Email 
Security System.
P Save a tree. Don't print this e-mail unless it's really necessary.

From: Christophe TREFOIS [mailto:christophe.tref...@uni.lu]
Sent: Wednesday, May 17, 2017 11:25 PM
To: Lachlan Musicman 
Cc: Lakshan Jayasekara ; 
freeipa-users@redhat.com
Subject: Re: [Freeipa-users] CentOS patch management on FreeIPA server

Hi,

I think yum update is fine, just don’t do it at the same time. It’s written 
somewhere in the docs that this could lead to crappy outcome.

Also, Lachlan, how do you do backups of FreeIPA?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb
[Facebook]  [Twitter] 
   [Google Plus] 
   [Linkedin] 
   [skype] 


This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original 
message and any copies.



On 17 May 2017, at 08:04, Lachlan Musicman 
mailto:data...@gmail.com>> wrote:

On 17 May 2017 at 15:23, Lakshan Jayasekara 
mailto:lakshan.jayasek...@lankaclear.com>> 
wrote:
>
> Hi All,
>
>
>
> I’m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on 
> CentOS 7 and have one replica server as well. I need to patch up centos 
> system as per PCI DSS compliance. Let me know whether I can proceed as usual 
> or to follow any sequential steps to achieve the task.


Lakshanth,

You should always have appropriate backup and restore procedures that are good 
for you.
Having said that, I regularly update our IPA server with patches (via 
Katello/Foreman) without a problem.

I think I even "yum update"d from IPA 4.2 to 4.4 and it just worked.

cheers
L.


--
"Mission Statement: To provide hope and inspiration for collective action, to 
build collective power, to achieve collective transformation, rooted in grief 
and rage but pointed towards vision and dreams."

 - Patrice Cullors, Black Lives Matter founder
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fresh Install of FreeIPA-Server - CentOS7

2017-05-17 Thread Robert L. Harris 
   Ok, I reverted to a completely fresh install, literally just after the
first reboot.  It installed cleanly.  So there's something in a package
upgrade that's breaking things.  I may try to figure it out later.

On Tue, May 16, 2017 at 3:08 PM Dagan McGregor  wrote:

> On 17 May 2017 8:50:02 AM NZST, "Robert L. Harris" <
> robert.l.har...@gmail.com> wrote:
>>
>>   I can, though that's what I did 2 days ago, fresh install from latest
>> ISO.
>>
>>
>> On Tue, May 16, 2017 at 2:40 PM Andrew Holway 
>> wrote:
>>
>>> I have a feeling that there is something broken with your image. Could
>>> you try installing Centos from ISO?
>>>
>>>
>>> On 16 May 2017 at 22:37, Robert L. Harris 
>>> wrote:
>>>

 I left SELinux enabled, no change, still streaming the same error:

 [Tue May 16 14:36:48.957848 2017] [:error] [pid 10780] NSS_Initialize
 failed. Certificate database: /etc/httpd/alias.
 [Tue May 16 14:36:48.957883 2017] [:error] [pid 10780] SSL Library
 Error: -8038 SEC_ERROR_NOT_INITIALIZED
 [Tue May 16 14:36:48.957886 2017] [:error] [pid 10780] Does the NSS
 database exist?



 On Tue, May 16, 2017 at 2:12 PM Andrew Holway 
 wrote:

> Yea, I would try installing IPA then making the changes that you want.
> I think SELinux should be left enabled however. It makes admin super fun! 
> :)
>
>
> On 16 May 2017 at 21:57, Robert L. Harris 
> wrote:
>
>>
>> I did disable selinux as it gave errors setting up my standard users,
>> etc.  I can roll back the snapshot, set it at 4Gigs of RAM and re-enable
>> selinux and then try again.
>>
>>
>> On Tue, May 16, 2017 at 1:52 PM Andrew Holway <
>> andrew.hol...@gmail.com> wrote:
>>
>>> This is pretty weird. FreeIPA installation normally works.
>>>
>>> Has the operating system image been changed or optimised somehow?
>>> Perhaps SELinux has been disabled? Have you tried installing Centos7 
>>> from
>>> the ISO?
>>>
>>> On 16 May 2017 at 21:48, Robert L. Harris >> > wrote:
>>>

2 Gigs, it's a VM.  The VM didn't report any memory issues ( no
 alarms on VMWare )


 On Tue, May 16, 2017 at 12:29 PM Andrew Holway <
 andrew.hol...@gmail.com> wrote:

> Hallo,
>
> How much memory do you have on the machine. I have a sneaking
> suspicion that you're running out.
>
> Ta,
>
> Andrew
>
> On 16 May 2017 at 17:16, Robert L. Harris <
> robert.l.har...@gmail.com> wrote:
>
>>
>> Last night I rolled back my snapshot.  Here's what I have after
>> the yum install
>>
>> "minimal" install of Centos7 + basic build.
>> {0}:/var/log>cat /etc/*elease
>> CentOS Linux release 7.3.1611 (Core)
>> NAME="CentOS Linux"
>> VERSION="7 (Core)"
>> ID="centos"
>> ID_LIKE="rhel fedora"
>> VERSION_ID="7"
>> PRETTY_NAME="CentOS Linux 7 (Core)"
>> ANSI_COLOR="0;31"
>> CPE_NAME="cpe:/o:centos:centos:7"
>> HOME_URL="https://www.centos.org/";
>> BUG_REPORT_URL="https://bugs.centos.org/";
>>
>> CENTOS_MANTISBT_PROJECT="CentOS-7"
>> CENTOS_MANTISBT_PROJECT_VERSION="7"
>> REDHAT_SUPPORT_PRODUCT="centos"
>> REDHAT_SUPPORT_PRODUCT_VERSION="7"
>>
>> CentOS Linux release 7.3.1611 (Core)
>> CentOS Linux release 7.3.1611 (Core)
>>
>>
>> {0}:/var/log>rpm -q -a | egrep -i 'http|apach|tomc|ipa|krb'
>> sssd-krb5-common-1.14.0-43.el7_3.14.x86_64
>> python2-ipaclient-4.4.0-14.el7.centos.7.noarch
>> ipa-common-4.4.0-14.el7.centos.7.noarch
>> perl-HTTP-Tiny-0.033-3.el7.noarch
>> python-iniparse-0.4-9.el7.noarch
>> ipa-client-common-4.4.0-14.el7.centos.7.noarch
>> pam_krb5-2.4.8-6.el7.x86_64
>> sssd-krb5-1.14.0-43.el7_3.14.x86_64
>> python-ipaddress-1.0.16-2.el7.noarch
>> python2-ipalib-4.4.0-14.el7.centos.7.noarch
>> krb5-libs-1.14.1-27.el7_3.x86_64
>> libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> python-libipa_hbac-1.14.0-43.el7_3.14.x86_64
>> sssd-ipa-1.14.0-43.el7_3.14.x86_64
>> krb5-workstation-1.14.1-27.el7_3.x86_64
>> ipa-client-4.4.0-14.el7.centos.7.x86_64
>>
>> Tried to pull an exact client.  The "yum install ipa-server" went
>> fine:
>>
>> {0}:/var/log/httpd>rpm -a -q | grep -i ipa-server
>> ipa-server-4.4.0-14.el7.centos.7.x86_64
>> ipa-server-common-4.4.0-14.el7.centos.7.noarch
>>
>>
>> "ipa-server-install" ran clean but has been stuck for 2 days:
>>
>> Restarting the directory server
>> Restarting the KDC
>> Please add records in this file to your DNS

Re: [Freeipa-users] CentOS patch management on FreeIPA server

2017-05-17 Thread Christophe TREFOIS 
Hi,

I think yum update is fine, just don’t do it at the same time. It’s written 
somewhere in the docs that this could lead to crappy outcome.

Also, Lachlan, how do you do backups of FreeIPA?

--

Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb

[Facebook]  [Twitter] 
   [Google Plus] 
   [Linkedin] 
   [skype] 



This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original 
message and any copies.




On 17 May 2017, at 08:04, Lachlan Musicman 
mailto:data...@gmail.com>> wrote:

On 17 May 2017 at 15:23, Lakshan Jayasekara 
mailto:lakshan.jayasek...@lankaclear.com>> 
wrote:
>
> Hi All,
>
>
>
> I’m using FreeIPA server VERSION: 4.4.0, API_VERSION: 2.213 and running on 
> CentOS 7 and have one replica server as well. I need to patch up centos 
> system as per PCI DSS compliance. Let me know whether I can proceed as usual 
> or to follow any sequential steps to achieve the task.


Lakshanth,

You should always have appropriate backup and restore procedures that are good 
for you.

Having said that, I regularly update our IPA server with patches (via 
Katello/Foreman) without a problem.

I think I even "yum update"d from IPA 4.2 to 4.4 and it just worked.


cheers
L.


--
"Mission Statement: To provide hope and inspiration for collective action, to 
build collective power, to achieve collective transformation, rooted in grief 
and rage but pointed towards vision and dreams."

 - Patrice Cullors, Black Lives Matter founder
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] mysql connection has been blocked by sss_ssh_knownhostsproxy

2017-05-17 Thread Matrix 
There is a weird issue occurred with sss_ssh_knownhostsproxy. I am not sure it 
is within the coverage of IPA mail-list. but want to get some suggestions from 
your side


Background:
server A running with mysql database. And it will simultaneously send a 1.3GB 
file to 14 clients.  


With 'ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h':
mysql connection will be blocked by those 14 rsync connections. 
from  'netstat -tupnlo' result, we can find that send-queue is higher and  
higher, looks like it has sent has been blocked. Finally, after mysql  
'net_write_timeout', connection will be closed since no data can be sent  from 
this connection. 


without  'ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h':

mysql connection can be worked as normal. 

sss_ssh_knownhostsproxy version: sssd-common-1.14.0-43.el7_3.11.x86_64

rsync version: rsync-3.0.9-17.el7.x86_64

kernel version: 3.10.0-229.el7.x86_64


Can you provide some hints on this, that would be appreciated. 


Matrix-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Freeipa and limiting access by group (memberOf)

2017-05-17 Thread Jakub Hrozek 
On Tue, May 16, 2017 at 07:56:38AM -0600, Janet Houser wrote:
> Hi Folks,
> 
> Last week I deployed freeipa on a CentOS7 VM.   The installation went very
> smoothly using:
> 
> yum install ipa-server
> 
> and
> 
> ipa-server-install
> 
> 
> My issue is with connecting a CentOS 7 client.  On my client, I yum
> installed  ipa-client and ipa-admintools.
> I than ran  "ipa-client-install"  and answered the setup questions (very
> easy and smooth).
> 
> The "getent passwd" command didn't return any users, but the "getent passwd
> jdoe" does give the information
> for the user.   I found in the archives that I can set "enumerate=True" so I
> get a complete user listing.   That
> seems to be working, and I was able to login with the account "jdoe"
> (brilliant!).

I would discourage enumeration especially if you're planning on a large
domain. The performance right now is not great. Moreover, the way the
trusted accounts are retrieved doesn't support enumeration at all
either.

> 
> Problem 1:
> 
> 
> I created a user group on the ipa server  with the following attributes:
> 
>name = xyx,  gid = 1000
> 
> I changed the user "jdoe" to have gid = 1000, but when I ssh into the ipa
> client, I get the following message after
> logging in:
> 
> /usr/bin/id: cannot find name for group ID 1000
> 
> A "getent group" command does list the group: xyz:*:1000:
> 
> A "groups" command issued by the user shows:   xyz
> 
> files created by the user show the correct ownership and group.

I would first try to remove the sssd caches because uid/gid renumbering
doesn't work great. If that doesn't help, please check the sssd logs.

By the way, 1000 is quite low and would most probably clash with local
accounts. I would strongly suggest to stick to ID numbers within the
configured ID range (ipa idrange-find)

> 
> Problem 2:
> ===
> 
> I've been looking through the freeipa groups and literature and I can't
> figure out how to limit user login access to
> an ipa client by a memberOf group.
> 
> When I was using CentOS 6 and 7 I could use the nslcd.conf file to put in a
> group filter like:
> 
> passwd 
> (&(objectClass=posixAccount)(memberOf=CN=test,OU=Groups,DC=abc,DC=xyx,DC=edu))
> 
> 
> I tried changing the access_provider to simple and using the
> "simply_allow_groups = test", but that didn't work.
> However, using "access_provider = ipa" and "filter_users" did allow me to
> filter out a user from the "getent passwd" command.
> 
> I tried changing the access_provider to ldap and using the filter
> "ldap_access_filter = memberOf=cn=test=OU=Groups,DC=abc,DC=xyx,DC=edu
> but that failed too.

Please check out "ipa help hbac"

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password and OTP auth

2017-05-17 Thread Andrey Dudin 
Hello

If I do  ipa user-mod test --user-auth-type=password --user-auth-type=otp I
have user:

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  User authentication types: otp, password
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True

I can login into ipa-client.mydomain.com to ssh using password+otp token,
but for login to IPA Web UI I also need password+otp. I need just password
for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com.


[root@ipa-centos]# ipa service-show HTTP/
ipa-centos.mydomain@mydomain.com --raw
  krbcanonicalname: HTTP/ipa-centos.mydomain@mydomain.com
  krbprincipalname: HTTP/ipa-centos.mydomain@mydomain.com
  usercertificate: %cert%
  subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  serial_number: 9
  serial_number_hex: 0x9
  issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  valid_not_before: Tue May 16 11:32:36 2017 UTC
  valid_not_after: Fri May 17 11:32:36 2019 UTC
  md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  sha1_fingerprint:
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  krbprincipalauthind: password
  has_keytab: TRUE
  managedby: fqdn=ipa-centos.mydomain.com
,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global

2017-05-17 12:17 GMT+03:00 Sumit Bose :

> On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> > Thanks, but I think I have a problem.
> >
> > I have test user:
> >
> > [root@ipa-centos]# ipa user-show test
> >   User login: test
> >   First name: test
> >   Last name: test
> >   Home directory: /home/test
> >   Login shell: /bin/sh
> >   Principal name: t...@mydomain.com
> >   Principal alias: t...@mydomain.com
> >   Email address: t...@mydomain.com
> >   UID: 15221
> >   GID: 15221
>
> As mentioned in the other thread there should be a listing of user auth
> types here. Please try
>
> ipa user-mod test --user-auth-type=password --user-auth-type=otp
>
> to allow both password and 2-factor/otp authentication.
>
> >   Account disabled: False
> >   Password: True
> >   Member of groups: trust admins, ipausers, admins
> >   Kerberos keys available: True
> >
> >
> > And test host:
> >
> > [root@ipa-centos]# ipa host-show ipa-client.mydomain.com
> >   Host name: ipa-client.mydomain.com
> >   Principal name: host/ipa-client.mydomain@mydomain.com
> >   Principal alias: host/ipa-client.mydomain@mydomain.com
> >   SSH public key fingerprint: %SOME FINGERPRINTS%
> >   Authentication Indicators: otp
> >   Password: False
> >   Keytab: True
> >   Managed by: ipa-client.mydomain.com
> >
> >
> > When I trying to login to ipa-client.mydomain.com with
> password+otptoken I
> > have error:
> >
> > [mynotebook]$ ssh t...@ipa-client.mydomain.com
> > t...@ipa-client.mydomain.com's password:
>
> Please check if ChallengeResponseAuthentication is enabled in
> /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
> by setting 'ChallengeResponseAuthentication yes'.
> > Permission denied, please try again.
> >
> >
> > Same if I trying to use just password.
> >
> > On ipa server in krb5kdc.log I see:
> >
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> > mydomain@mydomain.com, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> > mydomain@mydomain.com, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> > ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime
> 1494946853,
> > t...@mydomain.com for host/ipa-client.mydomain@mydomain.com,
> Required
> > auth indicators not present in ticket: otp
>
> The otp authentication indicator is missing in the Kerberos ticket of
> the user. I assume that the ticket was requested only with the password.
> Please see above what might be missing.
>
> HTH
>
> bye,
> Sumit
>
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICA

Re: [Freeipa-users] Password and OTP auth

2017-05-17 Thread Sumit Bose 
On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> Thanks, but I think I have a problem.
> 
> I have test user:
> 
> [root@ipa-centos]# ipa user-show test
>   User login: test
>   First name: test
>   Last name: test
>   Home directory: /home/test
>   Login shell: /bin/sh
>   Principal name: t...@mydomain.com
>   Principal alias: t...@mydomain.com
>   Email address: t...@mydomain.com
>   UID: 15221
>   GID: 15221

As mentioned in the other thread there should be a listing of user auth
types here. Please try

ipa user-mod test --user-auth-type=password --user-auth-type=otp

to allow both password and 2-factor/otp authentication.

>   Account disabled: False
>   Password: True
>   Member of groups: trust admins, ipausers, admins
>   Kerberos keys available: True
> 
> 
> And test host:
> 
> [root@ipa-centos]# ipa host-show ipa-client.mydomain.com
>   Host name: ipa-client.mydomain.com
>   Principal name: host/ipa-client.mydomain@mydomain.com
>   Principal alias: host/ipa-client.mydomain@mydomain.com
>   SSH public key fingerprint: %SOME FINGERPRINTS%
>   Authentication Indicators: otp
>   Password: False
>   Keytab: True
>   Managed by: ipa-client.mydomain.com
> 
> 
> When I trying to login to ipa-client.mydomain.com with password+otptoken I
> have error:
> 
> [mynotebook]$ ssh t...@ipa-client.mydomain.com
> t...@ipa-client.mydomain.com's password:

Please check if ChallengeResponseAuthentication is enabled in
/etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
by setting 'ChallengeResponseAuthentication yes'.
> Permission denied, please try again.
> 
> 
> Same if I trying to use just password.
> 
> On ipa server in krb5kdc.log I see:
> 
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> mydomain@mydomain.com, Additional pre-authentication required
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> mydomain@mydomain.com, Additional pre-authentication required
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
> auth indicators not present in ticket: otp

The otp authentication indicator is missing in the Kerberos ticket of
the user. I assume that the ticket was requested only with the password.
Please see above what might be missing.

HTH

bye,
Sumit

> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
> auth indicators not present in ticket: otp
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> 
> What's wrong?
> 
> 2017-05-16 17:16 GMT+03:00 Sumit Bose :
> 
> > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > > Hello all.
> > >
> > > tell me please. Is it possible to use password and otp auth at the one
> > > moment?
> > >
> > > For example I have DEV/STAGE servers and want to be able use password
> > auth
> > > for ssh, but for PROD servers I want to use OTP auth for same user.
> >
> > Authentication indicators can be used for this. If you add
> >
> > ipa host-mod --auth-ind=otp prod.server
> >
> > Only 2-factor authentication should be possible on prod.server. But
> > please note that e.g. ssh-key based authentication will still be
> > possible as well.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
> 
> 
> -- 
> С уважением Дудин Андрей

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project