Morning All,
I'm trying to do almost the same as it was demoed here:
https://www.youtube.com/watch?v=NorXJN3tw3Q&themeRefresh=1 [Break ice or don't
login twice: FreeIPA and OAuth 2.0]. In particular I'm trying to let authorize linux
ussers (ssh) with OAuth2.0 Azure AD. I already registered new app in Azure AD (so I have
new Client ID), then I add new idp like it was described here:
https://freeipa.readthedocs.io/en/latest/designs/external-idp/idp-api.htm...
and
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support....
I created new user and attached him to AD idp.
Sadly I have some issues with make whole thing work.
I run for this on clean fedora 37 OS:
---
[root@ipa2 log]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
---
I installed freeipa-server in version 4.10.1:
---
[root@ipa2 log]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
---
and all components seems to be working:
---
[root@ipa2 log]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
---
However when im trying to do:
---
[root@ipa2 ~]# kinit -T ./fast.ccache testuser2
Authenticate with PIN RJ4TEQ3KW at
https://microsoft.com/devicelogin and press ENTER.:
kinit: Preauthentication failed while getting initial credentials
---
of course the link provided in commandilne is valid and i can proceed with the
authorization with no issues and get SUCCESS at the end, however for freeipa the response
is always the same:
[kinit: Preauthentication failed while getting initial credentials.]
I already noticed that the error occurs almost immiadetely after running [ kinit -T
./fast.ccache testuser2 ], so freeipa is not even waiting for me to log on
https://microsoft.com/devicelogin website:
I see in journactl such flow:
---
[root@ipa2 log]# journalctl --follow /usr/libexec/ipa/ipa-otpd
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): idp query
end: ad
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): oauth2
start: Get device code
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): Received:
[{"device_code":"EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr7iawpzAIiCTXDx5OKQCTvg3u_0IfN7car7U1-ErltsJ_HqupRB-wsm-ls_tCZYc3Z98zG-jVx_xXmZ7oIg5LkxswyAJocRVtTygHdN9sDrHb9lhfGYSZPizy0hEMKGHfhgPaiDtnW3muH-izoWktC_PXqqgJC08d2apcLI8RK6YgAA","expires_in":900,"interval":5}
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2 {"verification_uri":
"https://microsoft.com/devicelogin", "user_code":
"EWVEHBCR6"}
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: ]
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): sent: 0
data: 371
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): ..sent: 371
data: 371
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): response
sent: Access-Challenge
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2.c:088: Child finished with
status [0].
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: Socket closed, shutting down...
---
[Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): response
sent: Access-Challenge] - I have an impression that request is ended almost in the same
second when it starts.
In messages logs:
---
Jan 18 15:13:42 ipa2 systemd[1]: /usr/lib/systemd/system/ipa-otpd@.service:10: Standard
output type syslog is obsolete, automatically updating to journal. Please update your unit
file, and consider removing the setting altogether.
Jan 18 15:13:42 ipa2 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 18 15:13:42 ipa2 systemd[1]: Started ipa-otpd(a)19-1182-0.service - ipa-otpd service
(PID 1182/UID 0).
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: LDAP: ldapi://%2Frun%2Fslapd-(MY DOMAIN HERE).socket
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): request received
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query start
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query end:
uid=testuser1,cn=users,cn=accounts,dc=tribecloud,dc=io
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query start:
cn=ad,cn=idp,dc=tribecloud,dc=io
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query end: ad
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): oauth2 start: Get device
code
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): Received:
[{"device_code":"FAQABAAEAAAD--DLA3VO7QrddgJg7Wevr9pXKAjhGk35vFXJUS2CnmQ0ASimeHG_O_I9Ws_CW4GVxOBdb_80yKD2giSQ4SE9PzYEEuCYhzsq70plMMb8XQzgVbYUhe-Mfa85Zb96X8eUAD1PLRh6zO_2i5EMA_hsFXyhC-QDO_uOA64QsoHOFHP5C-FQTbaAYegdUiRlMWj4gAA","expires_in":900,"interval":5}
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2 {"verification_uri":
"https://microsoft.com/devicelogin", "user_code":
"FW5GFFLMH"}
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: ]
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): sent: 0 data: 371
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): ..sent: 371 data: 371
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): response sent:
Access-Challenge
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2.c:088: Child finished with status [0].
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: Socket closed, shutting down...
Jan 18 15:13:43 ipa2 systemd[1]: ipa-otpd(a)19-1182-0.service: Deactivated successfully.
Jan 18 15:13:43 ipa2 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
---
User configuration:
---
[root@ipa2 log]# ipa user-show testuser2
User login: testuser2
First name: Test
Last name: User2
Home directory: /home/testuser2
Login shell: /bin/bash
Principal name: testuser2@(MY DOMAIN HERE)
Principal alias: testuser2@(MY DOMAIN HERE)
Email address: testuser2@(MY DOMAIN HERE)
UID: 608800004
GID: 608800004
User authentication types: idp
External IdP configuration: ad
External IdP user identifier: john@(MY DOMAIN HERE)
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
---
idp config:
---
[root@ipa2 log]# ipa idp-show ad
Identity Provider server name: ad
Authorization URI:
https://login.microsoftonline.com/(My tenant ID
HERE)/oauth2/v2.0/authorize
Device authorization URI:
https://login.microsoftonline.com/(My tenant ID
HERE)/oauth2/v2.0/devicecode
Token URI:
https://login.microsoftonline.com/(My tenant ID HERE)/oauth2/v2.0/token
User info URI:
https://graph.microsoft.com/oidc/userinfo
JWKS URI:
https://login.microsoftonline.com/common/discovery/v2.0/keys
Client identifier: (MY client ID Here)
Scope: openid email
External IdP user identifier attribute: email
---
I couldn't figure out what is going on, do you have any ideas, advices how I can solve
that and let me to use OAuth with Azure AD?
Best regards
John