Re: [Freeipa-users] otp issue: can't log in with password+otp

[Jan Pazdziora]

On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote:
> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> > Dear freeipa-users,
> > 
> > I'm having an issue with otp in freeipa. I can set up the service as
> > described in the blog post for TOTP or HOTP, and sync the token fine.
> > When I try to login to the admin tools or an ipa-managed client
> > (with ) , I get a password incorrect message.
> > Here are some more details: https://github.com/adelton/docker-freeipa
> > /issues/34
> > Can anyone help me to debug/get this working?
> 
> I'm very unclear as to what you are trying to do. Are you trying to
> run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
> ipa-otpd will require systemd in the container.

Well, we have separate daemon listening on the
/var/run/krb5kdc/DEFAULT.socket in the container which should start
the ipa-otpd@.service when there's a connection made to it. But
somehow it does not seem to be happening even if I fix the parsing of
/etc/ipa/default.conf that ipa-otpd@.service is doing.

What is the simplest way to trigger the connection to
/var/run/krb5kdc/DEFAULT.socket, for debugging purposes?

I haven't even been able to sync the token properly, which Duncan says
in


https://github.com/adelton/docker-freeipa/issues/34#issuecomment-123877080

was working for him.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Alexander Bokovoy]

On Fri, 25 Sep 2015, Jan Pazdziora wrote:

On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote:

On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> Dear freeipa-users,
>
> I'm having an issue with otp in freeipa. I can set up the service as
> described in the blog post for TOTP or HOTP, and sync the token fine.
> When I try to login to the admin tools or an ipa-managed client
> (with ) , I get a password incorrect message.
> Here are some more details: https://github.com/adelton/docker-freeipa
> /issues/34
> Can anyone help me to debug/get this working?

I'm very unclear as to what you are trying to do. Are you trying to
run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
ipa-otpd will require systemd in the container.


Well, we have separate daemon listening on the
/var/run/krb5kdc/DEFAULT.socket in the container which should start
the ipa-otpd@.service when there's a connection made to it. But
somehow it does not seem to be happening even if I fix the parsing of
/etc/ipa/default.conf that ipa-otpd@.service is doing.

As I wrote earlier, ipa-otpd relies on socket activation feature of
systemd -- systemd opens this socket and listens for incoming
connections. Any incoming connection causes to start ipa-otpd daemon and
connects its stdin/stdout to the socket's client.


What is the simplest way to trigger the connection to
/var/run/krb5kdc/DEFAULT.socket, for debugging purposes?

Use socat. Something like
socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork 
EXEC:/usr/libexec/ipa-otpd

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Jan Pazdziora]

On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote:
> >
> >Well, we have separate daemon listening on the
> >/var/run/krb5kdc/DEFAULT.socket in the container which should start
> >the ipa-otpd@.service when there's a connection made to it. But
> >somehow it does not seem to be happening even if I fix the parsing of
> >/etc/ipa/default.conf that ipa-otpd@.service is doing.
> As I wrote earlier, ipa-otpd relies on socket activation feature of
> systemd -- systemd opens this socket and listens for incoming
> connections. Any incoming connection causes to start ipa-otpd daemon and
> connects its stdin/stdout to the socket's client.

And in the container there is no systemd so I emulate it there by just
running a separate daemon listening on that socket which will fork
that ipa-otpd daemon.

> >What is the simplest way to trigger the connection to
> >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes?
> Use socat. Something like
> socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork 
> EXEC:/usr/libexec/ipa-otpd

I meant, how do I cause the IPA stack (KDC?) to make the connection
and communication with the ipa-otpd daemon?

Also, does the Sync OTP Token operation invoke the ipa-otpd daemon
path (so if Duncan managed to sync the token, it worked for him at
least once) in any way or does it bypass it?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Alexander Bokovoy]

On Fri, 25 Sep 2015, Jan Pazdziora wrote:

On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote:

>
>Well, we have separate daemon listening on the
>/var/run/krb5kdc/DEFAULT.socket in the container which should start
>the ipa-otpd@.service when there's a connection made to it. But
>somehow it does not seem to be happening even if I fix the parsing of
>/etc/ipa/default.conf that ipa-otpd@.service is doing.
As I wrote earlier, ipa-otpd relies on socket activation feature of
systemd -- systemd opens this socket and listens for incoming
connections. Any incoming connection causes to start ipa-otpd daemon and
connects its stdin/stdout to the socket's client.


And in the container there is no systemd so I emulate it there by just
running a separate daemon listening on that socket which will fork
that ipa-otpd daemon.

You did write another daemon? socat is enough.



>What is the simplest way to trigger the connection to
>/var/run/krb5kdc/DEFAULT.socket, for debugging purposes?
Use socat. Something like
socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork 
EXEC:/usr/libexec/ipa-otpd


I meant, how do I cause the IPA stack (KDC?) to make the connection
and communication with the ipa-otpd daemon?

Enable OTP tokens globally or for specific user in web UI, restart KDC.

Create OTP token for a user and try to login via SSSD.


Also, does the Sync OTP Token operation invoke the ipa-otpd daemon
path (so if Duncan managed to sync the token, it worked for him at
least once) in any way or does it bypass it?

No. It uses LDAP extended operation.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Nathaniel McCallum]

On Fri, 2015-09-25 at 09:22 +0200, Jan Pazdziora wrote:
> On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote:
> > > 
> > > Well, we have separate daemon listening on the
> > > /var/run/krb5kdc/DEFAULT.socket in the container which should
> > > start
> > > the ipa-otpd@.service when there's a connection made to it. But
> > > somehow it does not seem to be happening even if I fix the
> > > parsing of
> > > /etc/ipa/default.conf that ipa-otpd@.service is doing.
> > As I wrote earlier, ipa-otpd relies on socket activation feature of
> > systemd -- systemd opens this socket and listens for incoming
> > connections. Any incoming connection causes to start ipa-otpd
> > daemon and
> > connects its stdin/stdout to the socket's client.
> 
> And in the container there is no systemd so I emulate it there by
> just
> running a separate daemon listening on that socket which will fork
> that ipa-otpd daemon.

Is it in the same container? Because ipa-otpd uses ldapi.

> > > What is the simplest way to trigger the connection to
> > > /var/run/krb5kdc/DEFAULT.socket, for debugging purposes?
> > Use socat. Something like
> > socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-
> > early,fork EXEC:/usr/libexec/ipa-otpd
> 
> I meant, how do I cause the IPA stack (KDC?) to make the connection
> and communication with the ipa-otpd daemon?
> 
> Also, does the Sync OTP Token operation invoke the ipa-otpd daemon
> path (so if Duncan managed to sync the token, it worked for him at
> least once) in any way or does it bypass it?
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Martin Kosek]

On a related point to this note - Duncan, did you try to run your setup with
RPM version of FreeIPA? FreeIPA 4.2 is included both in RHEL-7.2 Beta or in
Fedora 23 Beta updates-testing repo, so you can try the latest and greatest
version there and thus find out if the problems you are seeing are specific to
the containerization or rather a general issue.

On 09/22/2015 08:12 PM, Nathaniel McCallum wrote:
> Running IPA in a container is very bleading edge. I would not be
> surprised at all if you run into lots of problems.
> 
> On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote:
>> Thanks Nathaniel,
>>   I am running with Jan's Centos-7 container and I'd like to have
>> Multi-factor Authentication/2FA enabled.
>> He mentioned that systemd is not running in the container, so I
>> guess that explains why 2FA is failing. I wonder if I can get
>> systemd running there.
>> --Duncan
>>
>>
>> Thanks
>> --Duncan
>> 
>> Duncan McNaught
>> Infrastructure Engineer
>>  Technologies | www.bitnet.io
>> +1 720 240 6575
>>
>> On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum > t.com> wrote:
>>> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
 Dear freeipa-users,

 I'm having an issue with otp in freeipa. I can set up the
>>> service as
 described in the blog post for TOTP or HOTP, and sync the token
>>> fine.
 When I try to login to the admin tools or an ipa-managed client
 (with ) , I get a password incorrect message.
 Here are some more details: https://github.com/adelton/docker-fre
>>> eipa
 /issues/34
 Can anyone help me to debug/get this working?
>>>
>>> I'm very unclear as to what you are trying to do. Are you trying to
>>> run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
>>> ipa-otpd will require systemd in the container.
>>>
>>> If you are trying to run this on CentOS 7.1 (not a container), it
>>> seems to me that your LDAP server isn't running or something is
>>> wrong
>>> with ldapi.
>>>
>>> Can you explain your setup in more detail?
>>>
>>> Nathaniel
>>>
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Alexander Bokovoy]

On Tue, 22 Sep 2015, Duncan McNaught wrote:

I realize that, thanks.
That's currently the only problem for us - getting 2FA to work.

Given that we rely on socket activation for ipa-otpd, you would need to
make a wrapper that would listen a unix domain socket and forward the
data between ipa-otpd stdin/stdout and that socket. This is what
provided to us by systemd.



Thanks
--Duncan


Duncan McNaught
Infrastructure Engineer
Technologies | www.bitnet.io
+1 720 240 6575

On Tue, Sep 22, 2015 at 12:12 PM, Nathaniel McCallum 
wrote:


Running IPA in a container is very bleading edge. I would not be
surprised at all if you run into lots of problems.

On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote:
> Thanks Nathaniel,
>   I am running with Jan's Centos-7 container and I'd like to have
> Multi-factor Authentication/2FA enabled.
> He mentioned that systemd is not running in the container, so I
> guess that explains why 2FA is failing. I wonder if I can get
> systemd running there.
> --Duncan
>
>
> Thanks
> --Duncan
> 
> Duncan McNaught
> Infrastructure Engineer
>  Technologies | www.bitnet.io
> +1 720 240 6575
>
> On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum  t.com> wrote:
> > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> > > Dear freeipa-users,
> > >
> > > I'm having an issue with otp in freeipa. I can set up the
> > service as
> > > described in the blog post for TOTP or HOTP, and sync the token
> > fine.
> > > When I try to login to the admin tools or an ipa-managed client
> > > (with ) , I get a password incorrect message.
> > > Here are some more details: https://github.com/adelton/docker-fre
> > eipa
> > > /issues/34
> > > Can anyone help me to debug/get this working?
> >
> > I'm very unclear as to what you are trying to do. Are you trying to
> > run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
> > ipa-otpd will require systemd in the container.
> >
> > If you are trying to run this on CentOS 7.1 (not a container), it
> > seems to me that your LDAP server isn't running or something is
> > wrong
> > with ldapi.
> >
> > Can you explain your setup in more detail?
> >
> > Nathaniel
> >




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Duncan McNaught]

I realize that, thanks.
That's currently the only problem for us - getting 2FA to work.

Thanks
--Duncan


Duncan McNaught
Infrastructure Engineer
 Technologies | www.bitnet.io
+1 720 240 6575

On Tue, Sep 22, 2015 at 12:12 PM, Nathaniel McCallum 
wrote:

> Running IPA in a container is very bleading edge. I would not be
> surprised at all if you run into lots of problems.
>
> On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote:
> > Thanks Nathaniel,
> >   I am running with Jan's Centos-7 container and I'd like to have
> > Multi-factor Authentication/2FA enabled.
> > He mentioned that systemd is not running in the container, so I
> > guess that explains why 2FA is failing. I wonder if I can get
> > systemd running there.
> > --Duncan
> >
> >
> > Thanks
> > --Duncan
> > 
> > Duncan McNaught
> > Infrastructure Engineer
> >  Technologies | www.bitnet.io
> > +1 720 240 6575
> >
> > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum  > t.com> wrote:
> > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> > > > Dear freeipa-users,
> > > >
> > > > I'm having an issue with otp in freeipa. I can set up the
> > > service as
> > > > described in the blog post for TOTP or HOTP, and sync the token
> > > fine.
> > > > When I try to login to the admin tools or an ipa-managed client
> > > > (with ) , I get a password incorrect message.
> > > > Here are some more details: https://github.com/adelton/docker-fre
> > > eipa
> > > > /issues/34
> > > > Can anyone help me to debug/get this working?
> > >
> > > I'm very unclear as to what you are trying to do. Are you trying to
> > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
> > > ipa-otpd will require systemd in the container.
> > >
> > > If you are trying to run this on CentOS 7.1 (not a container), it
> > > seems to me that your LDAP server isn't running or something is
> > > wrong
> > > with ldapi.
> > >
> > > Can you explain your setup in more detail?
> > >
> > > Nathaniel
> > >
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Nathaniel McCallum]

Running IPA in a container is very bleading edge. I would not be
surprised at all if you run into lots of problems.

On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote:
> Thanks Nathaniel,
>   I am running with Jan's Centos-7 container and I'd like to have
> Multi-factor Authentication/2FA enabled.
> He mentioned that systemd is not running in the container, so I
> guess that explains why 2FA is failing. I wonder if I can get
> systemd running there.
> --Duncan
> 
> 
> Thanks
> --Duncan
> 
> Duncan McNaught
> Infrastructure Engineer
>  Technologies | www.bitnet.io
> +1 720 240 6575
> 
> On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum  t.com> wrote:
> > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> > > Dear freeipa-users,
> > >
> > > I'm having an issue with otp in freeipa. I can set up the
> > service as
> > > described in the blog post for TOTP or HOTP, and sync the token
> > fine.
> > > When I try to login to the admin tools or an ipa-managed client
> > > (with ) , I get a password incorrect message.
> > > Here are some more details: https://github.com/adelton/docker-fre
> > eipa
> > > /issues/34
> > > Can anyone help me to debug/get this working?
> > 
> > I'm very unclear as to what you are trying to do. Are you trying to
> > run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
> > ipa-otpd will require systemd in the container.
> > 
> > If you are trying to run this on CentOS 7.1 (not a container), it
> > seems to me that your LDAP server isn't running or something is
> > wrong
> > with ldapi.
> > 
> > Can you explain your setup in more detail?
> > 
> > Nathaniel
> > 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Duncan McNaught]

Thanks Nathaniel,
  I am running with Jan's Centos-7 container and I'd like to have
Multi-factor Authentication/2FA enabled.
He mentioned that systemd is not running in the container, so I guess that
explains why 2FA is failing. I wonder if I can get systemd running there.
--Duncan


Thanks
--Duncan


Duncan McNaught
Infrastructure Engineer
 Technologies | www.bitnet.io
+1 720 240 6575

On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum 
wrote:

> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> > Dear freeipa-users,
> >
> > I'm having an issue with otp in freeipa. I can set up the service as
> > described in the blog post for TOTP or HOTP, and sync the token fine.
> > When I try to login to the admin tools or an ipa-managed client
> > (with ) , I get a password incorrect message.
> > Here are some more details: https://github.com/adelton/docker-freeipa
> > /issues/34
> > Can anyone help me to debug/get this working?
>
> I'm very unclear as to what you are trying to do. Are you trying to
> run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
> ipa-otpd will require systemd in the container.
>
> If you are trying to run this on CentOS 7.1 (not a container), it
> seems to me that your LDAP server isn't running or something is wrong
> with ldapi.
>
> Can you explain your setup in more detail?
>
> Nathaniel
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] otp issue: can't log in with password+otp

[Nathaniel McCallum]

On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:
> Dear freeipa-users,
> 
> I'm having an issue with otp in freeipa. I can set up the service as
> described in the blog post for TOTP or HOTP, and sync the token fine.
> When I try to login to the admin tools or an ipa-managed client
> (with ) , I get a password incorrect message.
> Here are some more details: https://github.com/adelton/docker-freeipa
> /issues/34
> Can anyone help me to debug/get this working?

I'm very unclear as to what you are trying to do. Are you trying to
run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
ipa-otpd will require systemd in the container.

If you are trying to run this on CentOS 7.1 (not a container), it
seems to me that your LDAP server isn't running or something is wrong
with ldapi.

Can you explain your setup in more detail?

Nathaniel

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project