Public bug reported:
While using Freeipa server with an external RADIUS server (which is in turn is
connected to an OTP authenticator), freeipa-server fails to load the required
krb5-otp module.
That's because the module is simply not there and every request send by an user
using FAST/OTP will fail. This is the message on /var/log/auth:
NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre-
authentication required
The user gets (note that he is not prompted for OTP, the request simply dies):
root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
[2872] 1478769982.447733: Resolving unique ccache of type KEYRING
[2872] 1478769982.449824: Getting initial credentials for johndoe@REALM
[2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0
[2872] 1478769982.454171: Retrieving admin@REALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from
KEYRING:persistent:0:0 with result: 0/Success
[2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for
krbtgt/REALM@REALM: fast_avail: yes
[2872] 1478769982.454396: Using FAST due to armor ccache negotiation result
[2872] 1478769982.454484: Getting credentials admin@REALM -> krbtgt/REALM@REALM
using ccache KEYRING:persistent:0:0
[2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from
KEYRING:persistent:0:0 with result: 0/Success
[2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3
[2872] 1478769982.454836: Creating authenticator for admin@REALM ->
krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key
aes256-cts/03D3
[2872] 1478769982.455045: FAST armor key: aes256-cts/21EB
[2872] 1478769982.455147: Encoding request body and padata into FAST request
[2872] 1478769982.455272: Sending request (947 bytes) to REALM
[2872] 1478769982.455437: Resolving hostname freeipa.realm.com
[2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88
[2872] 1478769982.464118: Received answer (488 bytes) from stream
10.80.40.243:88
[2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.464147: Response was from master KDC
[2872] 1478769982.464161: Received error from KDC: -1765328359/Additional
pre-authentication required
[2872] 1478769982.464166: Decoding FAST response
[2872] 1478769982.464438: Processing preauth types: 136, 133, 137
[2872] 1478769982.464446: Received cookie: MIT
kinit: Generic preauthentication failure while getting initial credentials
Solution:
$ sudo apt-get install krb5-otp
$ sudo service krb5-kdc restart
$ sudo service krb5-admin-server restart
After that everything works as expected:
root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
[2924] 1478770020.592804: Resolving unique ccache of type KEYRING
[2924] 1478770020.592994: Getting initial credentials for johndoe@REALM
[2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0
[2924] 1478770020.597091: Retrieving admin@REALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from
KEYRING:persistent:0:0 with result: 0/Success
[2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for
krbtgt/REALM@REALM: fast_avail: yes
[2924] 1478770020.597822: Using FAST due to armor ccache negotiation result
[2924] 1478770020.597884: Getting credentials admin@REALM -> krbtgt/REALM@REALM
using ccache KEYRING:persistent:0:0
[2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from
KEYRING:persistent:0:0 with result: 0/Success
[2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3
[2924] 1478770020.598199: Creating authenticator for admin@REALM ->
krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key
aes256-cts/03D3
[2924] 1478770020.598381: FAST armor key: aes256-cts/8677
[2924] 1478770020.598471: Encoding request body and padata into FAST request
[2924] 1478770020.598585: Sending request (947 bytes) to REALM
[2924] 1478770020.598669: Resolving hostname freeipa.realm.com
[2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.599366: Sending TCP request to stream 10.80.40.243:88
[2924] 1478770020.603569: Received answer (554 bytes) from stream
10.80.40.243:88
[2924] 1478770020.603651: Terminating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.603733: Response was from master KDC
[2924] 1478770020.603809: Received error from KDC: -1765328359/Additional
pre-authentication required
[2924] 1478770020.603862: Decoding FAST response
[2924] 1478770020.603960: Processing preauth types: 136, 141, 133, 137
[2924] 1478770020.604017: Received cookie: MIT
Enter OTP Token Value:
** Affects: freeipa (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1640732
Title:
krb5-otp package not being installed when ipa-server-install
Status in freeipa package in Ubuntu:
New
Bug description:
While using Freeipa server with an external RADIUS server (which is in turn
is connected to an OTP authenticator), freeipa-server fails to load the
required krb5-otp module.
That's because the module is simply not there and every request send by an
user using FAST/OTP will fail. This is the message on /var/log/auth:
NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre-
authentication required
The user gets (note that he is not prompted for OTP, the request simply dies):
root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
[2872] 1478769982.447733: Resolving unique ccache of type KEYRING
[2872] 1478769982.449824: Getting initial credentials for johndoe@REALM
[2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0
[2872] 1478769982.454171: Retrieving admin@REALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from
KEYRING:persistent:0:0 with result: 0/Success
[2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for
krbtgt/REALM@REALM: fast_avail: yes
[2872] 1478769982.454396: Using FAST due to armor ccache negotiation result
[2872] 1478769982.454484: Getting credentials admin@REALM ->
krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
[2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from
KEYRING:persistent:0:0 with result: 0/Success
[2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3
[2872] 1478769982.454836: Creating authenticator for admin@REALM ->
krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key
aes256-cts/03D3
[2872] 1478769982.455045: FAST armor key: aes256-cts/21EB
[2872] 1478769982.455147: Encoding request body and padata into FAST request
[2872] 1478769982.455272: Sending request (947 bytes) to REALM
[2872] 1478769982.455437: Resolving hostname freeipa.realm.com
[2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88
[2872] 1478769982.464118: Received answer (488 bytes) from stream
10.80.40.243:88
[2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.464147: Response was from master KDC
[2872] 1478769982.464161: Received error from KDC: -1765328359/Additional
pre-authentication required
[2872] 1478769982.464166: Decoding FAST response
[2872] 1478769982.464438: Processing preauth types: 136, 133, 137
[2872] 1478769982.464446: Received cookie: MIT
kinit: Generic preauthentication failure while getting initial credentials
Solution:
$ sudo apt-get install krb5-otp
$ sudo service krb5-kdc restart
$ sudo service krb5-admin-server restart
After that everything works as expected:
root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
[2924] 1478770020.592804: Resolving unique ccache of type KEYRING
[2924] 1478770020.592994: Getting initial credentials for johndoe@REALM
[2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0
[2924] 1478770020.597091: Retrieving admin@REALM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from
KEYRING:persistent:0:0 with result: 0/Success
[2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for
krbtgt/REALM@REALM: fast_avail: yes
[2924] 1478770020.597822: Using FAST due to armor ccache negotiation result
[2924] 1478770020.597884: Getting credentials admin@REALM ->
krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
[2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from
KEYRING:persistent:0:0 with result: 0/Success
[2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3
[2924] 1478770020.598199: Creating authenticator for admin@REALM ->
krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key
aes256-cts/03D3
[2924] 1478770020.598381: FAST armor key: aes256-cts/8677
[2924] 1478770020.598471: Encoding request body and padata into FAST request
[2924] 1478770020.598585: Sending request (947 bytes) to REALM
[2924] 1478770020.598669: Resolving hostname freeipa.realm.com
[2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.599366: Sending TCP request to stream 10.80.40.243:88
[2924] 1478770020.603569: Received answer (554 bytes) from stream
10.80.40.243:88
[2924] 1478770020.603651: Terminating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.603733: Response was from master KDC
[2924] 1478770020.603809: Received error from KDC: -1765328359/Additional
pre-authentication required
[2924] 1478770020.603862: Decoding FAST response
[2924] 1478770020.603960: Processing preauth types: 136, 141, 133, 137
[2924] 1478770020.604017: Received cookie: MIT
Enter OTP Token Value:
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1640732/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
