Re: [Freeipa-users] sudo with OTP

2016-03-23 Thread Brad Bendy 
Just updated to the testing on F23 and sudo does work, but it prompts
for a single password and the single user password work, OTP is not
needed or prompted.

I still need OTP when I login as my user just not on sudo, is that the
correct behavior and if so can that be changed to always require OTP?

Thanks


On Wed, Mar 23, 2016 at 2:55 PM, Brad Bendy  wrote:
> Ignore what I said earlier :)
>
> The issue is when I run sudo the lookup appears to still be wanting
> OTP (even though RADIUS is the only box checked for that user), no
> matter what I enter it won't go past that first prompt, the request
> never makes it over to my RADIUS server at all. Standard logins work
> just fine but soon as you try to sudo it wants the "first factor" but
> request never make it to the RADIUS server. Im going to play around
> with some settings, but am I missing something or is there no way to
> forward the sudo request to the same RADIUS server as well?
>
> Thanks
>
>
> On Wed, Mar 23, 2016 at 2:41 PM, Brad Bendy  wrote:
>> I will upgrade a few machines and test this out, I just got done
>> making a script for RADIUS to handle OTP, I didn't see this e-mail
>> till now!
>>
>> If Password + RADIUS are turned on for the user it looks like it's
>> still doing the first factor prompt, if I don't enable the password
>> option then a LDAP (have not tested Kerberos yet) lookup will fail,
>> haven't dug into to see if the account is disabled or what is causing
>> that. Does that sound correct though? My idea was to have FreeIPA
>> proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth
>> that way, I take it that's not going to work?
>>
>> Thanks
>>
>>
>> On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik  
>> wrote:
>>> On (22/03/16 10:06), Brad Bendy wrote:
Im having some issues applying these patches with dependencies. But on
a side note, this needs to be applied to the client machines as well
the IPA server itself, correct?

>>> I pushed related sudo patches to fedora yesterday.
>>> They are in updates-testing ATM.
>>>
>>> If you want to test packages on el6 or el7
>>> Then backported version of fedora packages are available in
>>> our sssd group copr repo.
>>> https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/
>>>
>>> Please report any bugs here or to sssd-users.
>>>
>>> LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

2016-03-23 Thread Brad Bendy 
Ignore what I said earlier :)

The issue is when I run sudo the lookup appears to still be wanting
OTP (even though RADIUS is the only box checked for that user), no
matter what I enter it won't go past that first prompt, the request
never makes it over to my RADIUS server at all. Standard logins work
just fine but soon as you try to sudo it wants the "first factor" but
request never make it to the RADIUS server. Im going to play around
with some settings, but am I missing something or is there no way to
forward the sudo request to the same RADIUS server as well?

Thanks


On Wed, Mar 23, 2016 at 2:41 PM, Brad Bendy  wrote:
> I will upgrade a few machines and test this out, I just got done
> making a script for RADIUS to handle OTP, I didn't see this e-mail
> till now!
>
> If Password + RADIUS are turned on for the user it looks like it's
> still doing the first factor prompt, if I don't enable the password
> option then a LDAP (have not tested Kerberos yet) lookup will fail,
> haven't dug into to see if the account is disabled or what is causing
> that. Does that sound correct though? My idea was to have FreeIPA
> proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth
> that way, I take it that's not going to work?
>
> Thanks
>
>
> On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik  wrote:
>> On (22/03/16 10:06), Brad Bendy wrote:
>>>Im having some issues applying these patches with dependencies. But on
>>>a side note, this needs to be applied to the client machines as well
>>>the IPA server itself, correct?
>>>
>> I pushed related sudo patches to fedora yesterday.
>> They are in updates-testing ATM.
>>
>> If you want to test packages on el6 or el7
>> Then backported version of fedora packages are available in
>> our sssd group copr repo.
>> https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/
>>
>> Please report any bugs here or to sssd-users.
>>
>> LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

2016-03-23 Thread Brad Bendy 
I will upgrade a few machines and test this out, I just got done
making a script for RADIUS to handle OTP, I didn't see this e-mail
till now!

If Password + RADIUS are turned on for the user it looks like it's
still doing the first factor prompt, if I don't enable the password
option then a LDAP (have not tested Kerberos yet) lookup will fail,
haven't dug into to see if the account is disabled or what is causing
that. Does that sound correct though? My idea was to have FreeIPA
proxy to RADIUS and let RADIUS to the LDAP/Kerberos+OTP and then auth
that way, I take it that's not going to work?

Thanks


On Wed, Mar 23, 2016 at 12:09 AM, Lukas Slebodnik  wrote:
> On (22/03/16 10:06), Brad Bendy wrote:
>>Im having some issues applying these patches with dependencies. But on
>>a side note, this needs to be applied to the client machines as well
>>the IPA server itself, correct?
>>
> I pushed related sudo patches to fedora yesterday.
> They are in updates-testing ATM.
>
> If you want to test packages on el6 or el7
> Then backported version of fedora packages are available in
> our sssd group copr repo.
> https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/
>
> Please report any bugs here or to sssd-users.
>
> LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

2016-03-23 Thread Lukas Slebodnik 
On (22/03/16 10:06), Brad Bendy wrote:
>Im having some issues applying these patches with dependencies. But on
>a side note, this needs to be applied to the client machines as well
>the IPA server itself, correct?
>
I pushed related sudo patches to fedora yesterday.
They are in updates-testing ATM.

If you want to test packages on el6 or el7
Then backported version of fedora packages are available in
our sssd group copr repo.
https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-13/

Please report any bugs here or to sssd-users.

LS

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

2016-03-22 Thread Brad Bendy 
Im having some issues applying these patches with dependencies. But on
a side note, this needs to be applied to the client machines as well
the IPA server itself, correct?


Thanks

On Mon, Mar 14, 2016 at 8:54 AM, Brad Bendy  wrote:
> I see that now, thanks for the link. Ill give those patches a whirl.
>
> On Mon, Mar 14, 2016 at 7:49 AM, Sumit Bose  wrote:
>> On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote:
>>> HI,
>>>
>>> I have OTP setup and working just fine for logging into any servers,
>>> when attempting to run any command with sudo I get a "First factor:"
>>> prompt, I have entered my normal password but it fails. This only
>>> happens when OTP is on, with OTP off sudo works like you would think.
>>
>> This is a know issue, please see
>> https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case
>> you use CentOS/RHEL7 you can find a test build at
>> http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 .
>>
>> bye,
>> Sumit
>>>
>>> The logs on the machine im trying to sudo show:
>>>
>>> Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=181863
>>> auid=181863 ses=8
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> msg='op=PAM:authentication grantors=? acct="myusername"
>>> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
>>>
>>> Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=181863
>>> auid=181863 ses=8
>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> msg='cwd="/" cmd="su" terminal=pts/0 res=failed'
>>>
>>> Which it not being much help at all, on the IPA server itself im
>>> seeing nothing in the log when I run sudo, I do though when I login as
>>> my normal user.
>>>
>>> Google appears to have zero results on this, any clues what else I can
>>> check? Seems odd to me!
>>>
>>> Thanks
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

2016-03-14 Thread Brad Bendy 
I see that now, thanks for the link. Ill give those patches a whirl.

On Mon, Mar 14, 2016 at 7:49 AM, Sumit Bose  wrote:
> On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote:
>> HI,
>>
>> I have OTP setup and working just fine for logging into any servers,
>> when attempting to run any command with sudo I get a "First factor:"
>> prompt, I have entered my normal password but it fails. This only
>> happens when OTP is on, with OTP off sudo works like you would think.
>
> This is a know issue, please see
> https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case
> you use CentOS/RHEL7 you can find a test build at
> http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 .
>
> bye,
> Sumit
>>
>> The logs on the machine im trying to sudo show:
>>
>> Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=181863
>> auid=181863 ses=8
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> msg='op=PAM:authentication grantors=? acct="myusername"
>> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
>>
>> Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=181863
>> auid=181863 ses=8
>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>> msg='cwd="/" cmd="su" terminal=pts/0 res=failed'
>>
>> Which it not being much help at all, on the IPA server itself im
>> seeing nothing in the log when I run sudo, I do though when I login as
>> my normal user.
>>
>> Google appears to have zero results on this, any clues what else I can
>> check? Seems odd to me!
>>
>> Thanks
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sudo with OTP

2016-03-14 Thread Sumit Bose 
On Mon, Mar 14, 2016 at 07:28:01AM -0700, Brad Bendy wrote:
> HI,
> 
> I have OTP setup and working just fine for logging into any servers,
> when attempting to run any command with sudo I get a "First factor:"
> prompt, I have entered my normal password but it fails. This only
> happens when OTP is on, with OTP off sudo works like you would think.

This is a know issue, please see
https://bugzilla.redhat.com/show_bug.cgi?id=1276868 for details. In case
you use CentOS/RHEL7 you can find a test build at
http://koji.fedoraproject.org/koji/taskinfo?taskID=13343842 .

bye,
Sumit
> 
> The logs on the machine im trying to sudo show:
> 
> Mar 14 08:23:13 ipatest audit: USER_AUTH pid=12495 uid=181863
> auid=181863 ses=8
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='op=PAM:authentication grantors=? acct="myusername"
> exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=failed'
> 
> Mar 14 08:23:13 ipatest audit: USER_CMD pid=12495 uid=181863
> auid=181863 ses=8
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> msg='cwd="/" cmd="su" terminal=pts/0 res=failed'
> 
> Which it not being much help at all, on the IPA server itself im
> seeing nothing in the log when I run sudo, I do though when I login as
> my normal user.
> 
> Google appears to have zero results on this, any clues what else I can
> check? Seems odd to me!
> 
> Thanks
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project