Re: [Freeipa-users] otp issue: can't log in with password+otp
On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote: > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > Dear freeipa-users, > > > > I'm having an issue with otp in freeipa. I can set up the service as > > described in the blog post for TOTP or HOTP, and sync the token fine. > > When I try to login to the admin tools or an ipa-managed client > > (with ) , I get a password incorrect message. > > Here are some more details: https://github.com/adelton/docker-freeipa > > /issues/34 > > Can anyone help me to debug/get this working? > > I'm very unclear as to what you are trying to do. Are you trying to > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > ipa-otpd will require systemd in the container. Well, we have separate daemon listening on the /var/run/krb5kdc/DEFAULT.socket in the container which should start the ipa-otpd@.service when there's a connection made to it. But somehow it does not seem to be happening even if I fix the parsing of /etc/ipa/default.conf that ipa-otpd@.service is doing. What is the simplest way to trigger the connection to /var/run/krb5kdc/DEFAULT.socket, for debugging purposes? I haven't even been able to sync the token properly, which Duncan says in https://github.com/adelton/docker-freeipa/issues/34#issuecomment-123877080 was working for him. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On Fri, 25 Sep 2015, Jan Pazdziora wrote: On Tue, Sep 22, 2015 at 08:55:53AM -0400, Nathaniel McCallum wrote: On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > Dear freeipa-users, > > I'm having an issue with otp in freeipa. I can set up the service as > described in the blog post for TOTP or HOTP, and sync the token fine. > When I try to login to the admin tools or an ipa-managed client > (with ) , I get a password incorrect message. > Here are some more details: https://github.com/adelton/docker-freeipa > /issues/34 > Can anyone help me to debug/get this working? I'm very unclear as to what you are trying to do. Are you trying to run FreeIPA in a container? If so, Jan is probably your man. AFAIK, ipa-otpd will require systemd in the container. Well, we have separate daemon listening on the /var/run/krb5kdc/DEFAULT.socket in the container which should start the ipa-otpd@.service when there's a connection made to it. But somehow it does not seem to be happening even if I fix the parsing of /etc/ipa/default.conf that ipa-otpd@.service is doing. As I wrote earlier, ipa-otpd relies on socket activation feature of systemd -- systemd opens this socket and listens for incoming connections. Any incoming connection causes to start ipa-otpd daemon and connects its stdin/stdout to the socket's client. What is the simplest way to trigger the connection to /var/run/krb5kdc/DEFAULT.socket, for debugging purposes? Use socat. Something like socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote: > > > >Well, we have separate daemon listening on the > >/var/run/krb5kdc/DEFAULT.socket in the container which should start > >the ipa-otpd@.service when there's a connection made to it. But > >somehow it does not seem to be happening even if I fix the parsing of > >/etc/ipa/default.conf that ipa-otpd@.service is doing. > As I wrote earlier, ipa-otpd relies on socket activation feature of > systemd -- systemd opens this socket and listens for incoming > connections. Any incoming connection causes to start ipa-otpd daemon and > connects its stdin/stdout to the socket's client. And in the container there is no systemd so I emulate it there by just running a separate daemon listening on that socket which will fork that ipa-otpd daemon. > >What is the simplest way to trigger the connection to > >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes? > Use socat. Something like > socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork > EXEC:/usr/libexec/ipa-otpd I meant, how do I cause the IPA stack (KDC?) to make the connection and communication with the ipa-otpd daemon? Also, does the Sync OTP Token operation invoke the ipa-otpd daemon path (so if Duncan managed to sync the token, it worked for him at least once) in any way or does it bypass it? -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On Fri, 25 Sep 2015, Jan Pazdziora wrote: On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote: > >Well, we have separate daemon listening on the >/var/run/krb5kdc/DEFAULT.socket in the container which should start >the ipa-otpd@.service when there's a connection made to it. But >somehow it does not seem to be happening even if I fix the parsing of >/etc/ipa/default.conf that ipa-otpd@.service is doing. As I wrote earlier, ipa-otpd relies on socket activation feature of systemd -- systemd opens this socket and listens for incoming connections. Any incoming connection causes to start ipa-otpd daemon and connects its stdin/stdout to the socket's client. And in the container there is no systemd so I emulate it there by just running a separate daemon listening on that socket which will fork that ipa-otpd daemon. You did write another daemon? socat is enough. >What is the simplest way to trigger the connection to >/var/run/krb5kdc/DEFAULT.socket, for debugging purposes? Use socat. Something like socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink-early,fork EXEC:/usr/libexec/ipa-otpd I meant, how do I cause the IPA stack (KDC?) to make the connection and communication with the ipa-otpd daemon? Enable OTP tokens globally or for specific user in web UI, restart KDC. Create OTP token for a user and try to login via SSSD. Also, does the Sync OTP Token operation invoke the ipa-otpd daemon path (so if Duncan managed to sync the token, it worked for him at least once) in any way or does it bypass it? No. It uses LDAP extended operation. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On Fri, 2015-09-25 at 09:22 +0200, Jan Pazdziora wrote: > On Fri, Sep 25, 2015 at 10:09:55AM +0300, Alexander Bokovoy wrote: > > > > > > Well, we have separate daemon listening on the > > > /var/run/krb5kdc/DEFAULT.socket in the container which should > > > start > > > the ipa-otpd@.service when there's a connection made to it. But > > > somehow it does not seem to be happening even if I fix the > > > parsing of > > > /etc/ipa/default.conf that ipa-otpd@.service is doing. > > As I wrote earlier, ipa-otpd relies on socket activation feature of > > systemd -- systemd opens this socket and listens for incoming > > connections. Any incoming connection causes to start ipa-otpd > > daemon and > > connects its stdin/stdout to the socket's client. > > And in the container there is no systemd so I emulate it there by > just > running a separate daemon listening on that socket which will fork > that ipa-otpd daemon. Is it in the same container? Because ipa-otpd uses ldapi. > > > What is the simplest way to trigger the connection to > > > /var/run/krb5kdc/DEFAULT.socket, for debugging purposes? > > Use socat. Something like > > socat UNIX-LISTEN:/var/run/krb5kdc/DEFAULT.socket,unlink- > > early,fork EXEC:/usr/libexec/ipa-otpd > > I meant, how do I cause the IPA stack (KDC?) to make the connection > and communication with the ipa-otpd daemon? > > Also, does the Sync OTP Token operation invoke the ipa-otpd daemon > path (so if Duncan managed to sync the token, it worked for him at > least once) in any way or does it bypass it? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On a related point to this note - Duncan, did you try to run your setup with RPM version of FreeIPA? FreeIPA 4.2 is included both in RHEL-7.2 Beta or in Fedora 23 Beta updates-testing repo, so you can try the latest and greatest version there and thus find out if the problems you are seeing are specific to the containerization or rather a general issue. On 09/22/2015 08:12 PM, Nathaniel McCallum wrote: > Running IPA in a container is very bleading edge. I would not be > surprised at all if you run into lots of problems. > > On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: >> Thanks Nathaniel, >> I am running with Jan's Centos-7 container and I'd like to have >> Multi-factor Authentication/2FA enabled. >> He mentioned that systemd is not running in the container, so I >> guess that explains why 2FA is failing. I wonder if I can get >> systemd running there. >> --Duncan >> >> >> Thanks >> --Duncan >> >> Duncan McNaught >> Infrastructure Engineer >> Technologies | www.bitnet.io >> +1 720 240 6575 >> >> On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum> t.com> wrote: >>> On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: Dear freeipa-users, I'm having an issue with otp in freeipa. I can set up the >>> service as described in the blog post for TOTP or HOTP, and sync the token >>> fine. When I try to login to the admin tools or an ipa-managed client (with ) , I get a password incorrect message. Here are some more details: https://github.com/adelton/docker-fre >>> eipa /issues/34 Can anyone help me to debug/get this working? >>> >>> I'm very unclear as to what you are trying to do. Are you trying to >>> run FreeIPA in a container? If so, Jan is probably your man. AFAIK, >>> ipa-otpd will require systemd in the container. >>> >>> If you are trying to run this on CentOS 7.1 (not a container), it >>> seems to me that your LDAP server isn't running or something is >>> wrong >>> with ldapi. >>> >>> Can you explain your setup in more detail? >>> >>> Nathaniel >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On Tue, 22 Sep 2015, Duncan McNaught wrote: I realize that, thanks. That's currently the only problem for us - getting 2FA to work. Given that we rely on socket activation for ipa-otpd, you would need to make a wrapper that would listen a unix domain socket and forward the data between ipa-otpd stdin/stdout and that socket. This is what provided to us by systemd. Thanks --Duncan Duncan McNaught Infrastructure Engineer Technologies | www.bitnet.io +1 720 240 6575 On Tue, Sep 22, 2015 at 12:12 PM, Nathaniel McCallumwrote: Running IPA in a container is very bleading edge. I would not be surprised at all if you run into lots of problems. On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: > Thanks Nathaniel, > I am running with Jan's Centos-7 container and I'd like to have > Multi-factor Authentication/2FA enabled. > He mentioned that systemd is not running in the container, so I > guess that explains why 2FA is failing. I wonder if I can get > systemd running there. > --Duncan > > > Thanks > --Duncan > > Duncan McNaught > Infrastructure Engineer > Technologies | www.bitnet.io > +1 720 240 6575 > > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum t.com> wrote: > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > > Dear freeipa-users, > > > > > > I'm having an issue with otp in freeipa. I can set up the > > service as > > > described in the blog post for TOTP or HOTP, and sync the token > > fine. > > > When I try to login to the admin tools or an ipa-managed client > > > (with ) , I get a password incorrect message. > > > Here are some more details: https://github.com/adelton/docker-fre > > eipa > > > /issues/34 > > > Can anyone help me to debug/get this working? > > > > I'm very unclear as to what you are trying to do. Are you trying to > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > > ipa-otpd will require systemd in the container. > > > > If you are trying to run this on CentOS 7.1 (not a container), it > > seems to me that your LDAP server isn't running or something is > > wrong > > with ldapi. > > > > Can you explain your setup in more detail? > > > > Nathaniel > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
I realize that, thanks. That's currently the only problem for us - getting 2FA to work. Thanks --Duncan Duncan McNaught Infrastructure Engineer Technologies | www.bitnet.io +1 720 240 6575 On Tue, Sep 22, 2015 at 12:12 PM, Nathaniel McCallumwrote: > Running IPA in a container is very bleading edge. I would not be > surprised at all if you run into lots of problems. > > On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: > > Thanks Nathaniel, > > I am running with Jan's Centos-7 container and I'd like to have > > Multi-factor Authentication/2FA enabled. > > He mentioned that systemd is not running in the container, so I > > guess that explains why 2FA is failing. I wonder if I can get > > systemd running there. > > --Duncan > > > > > > Thanks > > --Duncan > > > > Duncan McNaught > > Infrastructure Engineer > > Technologies | www.bitnet.io > > +1 720 240 6575 > > > > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallum > t.com> wrote: > > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > > > Dear freeipa-users, > > > > > > > > I'm having an issue with otp in freeipa. I can set up the > > > service as > > > > described in the blog post for TOTP or HOTP, and sync the token > > > fine. > > > > When I try to login to the admin tools or an ipa-managed client > > > > (with ) , I get a password incorrect message. > > > > Here are some more details: https://github.com/adelton/docker-fre > > > eipa > > > > /issues/34 > > > > Can anyone help me to debug/get this working? > > > > > > I'm very unclear as to what you are trying to do. Are you trying to > > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > > > ipa-otpd will require systemd in the container. > > > > > > If you are trying to run this on CentOS 7.1 (not a container), it > > > seems to me that your LDAP server isn't running or something is > > > wrong > > > with ldapi. > > > > > > Can you explain your setup in more detail? > > > > > > Nathaniel > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
Running IPA in a container is very bleading edge. I would not be surprised at all if you run into lots of problems. On Tue, 2015-09-22 at 12:10 -0600, Duncan McNaught wrote: > Thanks Nathaniel, > I am running with Jan's Centos-7 container and I'd like to have > Multi-factor Authentication/2FA enabled. > He mentioned that systemd is not running in the container, so I > guess that explains why 2FA is failing. I wonder if I can get > systemd running there. > --Duncan > > > Thanks > --Duncan > > Duncan McNaught > Infrastructure Engineer > Technologies | www.bitnet.io > +1 720 240 6575 > > On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallumt.com> wrote: > > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > > Dear freeipa-users, > > > > > > I'm having an issue with otp in freeipa. I can set up the > > service as > > > described in the blog post for TOTP or HOTP, and sync the token > > fine. > > > When I try to login to the admin tools or an ipa-managed client > > > (with ) , I get a password incorrect message. > > > Here are some more details: https://github.com/adelton/docker-fre > > eipa > > > /issues/34 > > > Can anyone help me to debug/get this working? > > > > I'm very unclear as to what you are trying to do. Are you trying to > > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > > ipa-otpd will require systemd in the container. > > > > If you are trying to run this on CentOS 7.1 (not a container), it > > seems to me that your LDAP server isn't running or something is > > wrong > > with ldapi. > > > > Can you explain your setup in more detail? > > > > Nathaniel > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
Thanks Nathaniel, I am running with Jan's Centos-7 container and I'd like to have Multi-factor Authentication/2FA enabled. He mentioned that systemd is not running in the container, so I guess that explains why 2FA is failing. I wonder if I can get systemd running there. --Duncan Thanks --Duncan Duncan McNaught Infrastructure Engineer Technologies | www.bitnet.io +1 720 240 6575 On Tue, Sep 22, 2015 at 6:55 AM, Nathaniel McCallumwrote: > On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > > Dear freeipa-users, > > > > I'm having an issue with otp in freeipa. I can set up the service as > > described in the blog post for TOTP or HOTP, and sync the token fine. > > When I try to login to the admin tools or an ipa-managed client > > (with ) , I get a password incorrect message. > > Here are some more details: https://github.com/adelton/docker-freeipa > > /issues/34 > > Can anyone help me to debug/get this working? > > I'm very unclear as to what you are trying to do. Are you trying to > run FreeIPA in a container? If so, Jan is probably your man. AFAIK, > ipa-otpd will require systemd in the container. > > If you are trying to run this on CentOS 7.1 (not a container), it > seems to me that your LDAP server isn't running or something is wrong > with ldapi. > > Can you explain your setup in more detail? > > Nathaniel > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] otp issue: can't log in with password+otp
On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote: > Dear freeipa-users, > > I'm having an issue with otp in freeipa. I can set up the service as > described in the blog post for TOTP or HOTP, and sync the token fine. > When I try to login to the admin tools or an ipa-managed client > (with ) , I get a password incorrect message. > Here are some more details: https://github.com/adelton/docker-freeipa > /issues/34 > Can anyone help me to debug/get this working? I'm very unclear as to what you are trying to do. Are you trying to run FreeIPA in a container? If so, Jan is probably your man. AFAIK, ipa-otpd will require systemd in the container. If you are trying to run this on CentOS 7.1 (not a container), it seems to me that your LDAP server isn't running or something is wrong with ldapi. Can you explain your setup in more detail? Nathaniel -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project