Re: [Freeipa-users] FreeIPA4 OTP vs PAM
On Sat, Nov 22, 2014 at 02:05:19PM -0800, Michael Lasevich wrote: I got some extra log output: seems that FAST IS being used. I am running SSSD 1.11.6, which is supposed to have above mentioned issues fixed: Log: = (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [find_principal_in_keytab] (0x4000): Trying to find principal host/ ipaclient.my.domain@my.domain.com in keytab. (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [match_principal] (0x1000): Principal matched to the sample (host/ ipaclient.my.domain@my.domain.com). (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361296: Retrieving host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: 0/Success (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [main] (0x0400): Will perform online auth (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [tgt_req_child] (0x1000): Attempting to get a TGT (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MY.DOMAIN.COM] (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361440: Getting initial credentials for mich...@my.domain.com (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361508: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361575: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361648: Sending request (188 bytes) to MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361842: Sending initial UDP request to dgram 1.1.1.2:88 (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365901: Received answer from dgram 1.1.1.2:88 (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365981: Response was from master KDC (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366020: Received error from KDC: -1765328359/Additional pre-authentication required (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366051: Upgrading to FAST due to presence of PA_FX_FAST in reply (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366075: Restarting to upgrade to FAST (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366102: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366161: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366191: Upgrading to FAST due to presence of PA_FX_FAST in reply (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366215: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366267: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366322: Getting credentials host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com using ccache FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366380: Retrieving host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com from
Re: [Freeipa-users] FreeIPA4 OTP vs PAM
Reviving this as I am still stuck with CentOS 6. CentOS 6.6 now has sssd 1.11 - yet I still cannot get the OTP to work under PAM: I created a test user and added an otp. User works fine without the OTP, however I keep getting this when trying to test with OTP via pamtester: pamtester: pam_sss(login:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=michael pamtester: pam_sss(login:auth): received for user michael: 17 (Failure setting user credentials) Is there a way to get more information as to what is going on? Is my expectation that I would provide otp in a form of password123456 correct (assuming my password is password and otp token is 123456)? On Fri, Aug 15, 2014 at 2:29 AM, Michael Lasevich mlasev...@lasevich.net wrote: Thanks, glad I asked before wasting time. On Fri, Aug 15, 2014 at 1:07 AM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote: I did not dive into this yet, but before I waste too much time I wanted to ask if centos 6.5 default ipa client expected to work with 2FA or not. No it's not, sorry. The 6.5 client is SSSD 1.9.x and there's a couple of fixes that landed during the 1.11 development such as: https://fedorahosted.org/sssd/ticket/2186 or: https://fedorahosted.org/sssd/ticket/2271 plus some other commits I see in git log which don't reference any ticket. I'd suggest to test using a centos 7.0 client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA4 OTP vs PAM
I got some extra log output: seems that FAST IS being used. I am running SSSD 1.11.6, which is supposed to have above mentioned issues fixed: Log: = (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [find_principal_in_keytab] (0x4000): Trying to find principal host/ ipaclient.my.domain@my.domain.com in keytab. (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [match_principal] (0x1000): Principal matched to the sample (host/ ipaclient.my.domain@my.domain.com). (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361296: Retrieving host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: 0/Success (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [check_fast_ccache] (0x0200): FAST TGT is still valid. (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [main] (0x0400): Will perform online auth (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [tgt_req_child] (0x1000): Attempting to get a TGT (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [get_and_save_tgt] (0x0400): Attempting kinit for realm [MY.DOMAIN.COM] (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361440: Getting initial credentials for mich...@my.domain.com (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361508: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361575: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361648: Sending request (188 bytes) to MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.361842: Sending initial UDP request to dgram 1.1.1.2:88 (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365901: Received answer from dgram 1.1.1.2:88 (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.365981: Response was from master KDC (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366020: Received error from KDC: -1765328359/Additional pre-authentication required (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366051: Upgrading to FAST due to presence of PA_FX_FAST in reply (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366075: Restarting to upgrade to FAST (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366102: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366161: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366191: Upgrading to FAST due to presence of PA_FX_FAST in reply (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366215: FAST armor ccache: FILE:/var/lib/sss/db/fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366267: Retrieving host/ipaclient.my.domain@my.domain.com - krb5_ccache_conf_data/fast_avail/krbtgt\/MY.DOMAIN.COM \@MY.DOMAIN.COM@X-CACHECONF: from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: -1765328243/Matching credential not found (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366322: Getting credentials host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com using ccache FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451] 1416693343.366380: Retrieving host/ipaclient.my.domain@my.domain.com - krbtgt/ my.domain@my.domain.com from FILE:/var/lib/sss/db/ fast_ccache_MY.DOMAIN.COM with result: 0/Success (Sat Nov 22 14:55:43 2014) [[sssd[krb5_child[2451 [sss_child_krb5_trace_cb] (0x4000): [2451]
Re: [Freeipa-users] FreeIPA4 OTP vs PAM
On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote: I did not dive into this yet, but before I waste too much time I wanted to ask if centos 6.5 default ipa client expected to work with 2FA or not. No it's not, sorry. The 6.5 client is SSSD 1.9.x and there's a couple of fixes that landed during the 1.11 development such as: https://fedorahosted.org/sssd/ticket/2186 or: https://fedorahosted.org/sssd/ticket/2271 plus some other commits I see in git log which don't reference any ticket. I'd suggest to test using a centos 7.0 client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] FreeIPA4 OTP vs PAM
Thanks, glad I asked before wasting time. On Fri, Aug 15, 2014 at 1:07 AM, Jakub Hrozek jhro...@redhat.com wrote: On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote: I did not dive into this yet, but before I waste too much time I wanted to ask if centos 6.5 default ipa client expected to work with 2FA or not. No it's not, sorry. The 6.5 client is SSSD 1.9.x and there's a couple of fixes that landed during the 1.11 development such as: https://fedorahosted.org/sssd/ticket/2186 or: https://fedorahosted.org/sssd/ticket/2271 plus some other commits I see in git log which don't reference any ticket. I'd suggest to test using a centos 7.0 client. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] FreeIPA4 OTP vs PAM
I am testing a simple setup with FreeIPA 4.0.1 server and a centos6.5 stock ipa-client package and I can get the regular password to work, but not otp login (otp login works in web ui). As I understood this, kinit is not expected to work (requires FAST) but PAM (which uses sssd, which supposed to supports/configure FAST by default) Indeed the kinit fails with Generic preauthentication failure while getting initial credentials but PAM/SSSD does not seem to work either. This is a brand new test domain with allow-all HBAC intact, so I do not think that is the issue I did not dive into this yet, but before I waste too much time I wanted to ask if centos 6.5 default ipa client expected to work with 2FA or not. Thanks -M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project