On to, 14 touko 2020, Russ Long via FreeIPA-users wrote:
> On to, 14 touko 2020, Russ Long via FreeIPA-users wrote:
>
> Thing is, it starts working for me immediately when I get the proxy
> associated with the user.
>
> [root@master ~]# ipa user-add foo1bar
> First name: Foo1
> Last name: Bar
> --------------------
> Added user "foo1bar"
> --------------------
> User login: foo1bar
> First name: Foo1
> Last name: Bar
> Full name: Foo1 Bar
> Display name: Foo1 Bar
> Initials: FB
> Home directory: /home/foo1bar
> GECOS: Foo1 Bar
> Login shell: /bin/sh
> Principal name: foo1bar(a)IPA.TEST
> Principal alias: foo1bar(a)IPA.TEST
> Email address: foo1bar(a)ipa.test
> UID: 1908200007
> GID: 1908200007
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
> [root@master ~]# ipa user-mod foo1bar --radius duo
> -----------------------
> Modified user "foo1bar"
> -----------------------
> User login: foo1bar
> First name: Foo1
> Last name: Bar
> Home directory: /home/foo1bar
> Login shell: /bin/sh
> Principal name: foo1bar(a)IPA.TEST
> Principal alias: foo1bar(a)IPA.TEST
> Email address: foo1bar(a)ipa.test
> UID: 1908200007
> GID: 1908200007
> RADIUS proxy configuration: duo
> Account disabled: False
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
>
> [root@master ~]# kinit -k
> [root@master ~]# KRB5_TRACE=/dev/stderr kinit -T KCM:0 foo1bar
> [190332] 1589466311.590529: Resolving unique ccache of type KCM
> [190332] 1589466311.590530: Getting initial credentials for foo1bar(a)IPA.TEST
> [190332] 1589466311.590531: FAST armor ccache: KCM:0
> [190332] 1589466311.590532: Retrieving host/master.ipa.test(a)IPA.TEST ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.TEST\(a)IPA.TEST(a)X-CACHECONF: from KCM:0
with
> result: 0/Success
> [190332] 1589466311.590533: Read config in KCM:0 for krbtgt/IPA.TEST(a)IPA.TEST:
fast_avail:
> yes
> [190332] 1589466311.590534: Using FAST due to armor ccache negotiation result
> [190332] 1589466311.590535: Getting credentials host/master.ipa.test(a)IPA.TEST
->
> krbtgt/IPA.TEST(a)IPA.TEST using ccache KCM:0
> [190332] 1589466311.590536: Retrieving host/master.ipa.test(a)IPA.TEST ->
> krbtgt/IPA.TEST(a)IPA.TEST from KCM:0 with result: 0/Success
> [190332] 1589466311.590537: Armor ccache sesion key: aes256-cts/3E96
> [190332] 1589466311.590539: Creating authenticator for
host/master.ipa.test(a)IPA.TEST ->
> krbtgt/IPA.TEST(a)IPA.TEST, seqnum 0, subkey aes256-cts/86B1, session key
aes256-cts/3E96
> [190332] 1589466311.590541: FAST armor key: aes256-cts/1B67
> [190332] 1589466311.590543: Sending unauthenticated request
> [190332] 1589466311.590544: Encoding request body and padata into FAST request
> [190332] 1589466311.590545: Sending request (1681 bytes) to IPA.TEST
> [190332] 1589466311.590546: Initiating TCP connection to stream 1.2.3.4:88
> [190332] 1589466311.590547: Sending TCP request to stream 1.2.3.4:88
> [190332] 1589466311.590548: Received answer (553 bytes) from stream 1.2.3.4:88
> [190332] 1589466311.590549: Terminating TCP connection to stream 1.2.3.4:88
> [190332] 1589466311.590550: Response was from master KDC
> [190332] 1589466311.590551: Received error from KDC: -1765328359/Additional
> pre-authentication required
> [190332] 1589466311.590552: Decoding FAST response
> [190332] 1589466311.590555: Preauthenticating using KDC method data
> [190332] 1589466311.590556: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136),
> PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE
(133),
> PA-FX-ERROR (137)
> [190332] 1589466311.590557: Received cookie: MIT
> [190332] 1589466311.590558: PKINIT client has no configured identity; giving up
> [190332] 1589466311.590559: Preauth module pkinit (147) (info) returned: 0/Success
> [190332] 1589466311.590560: PKINIT client received freshness token from KDC
> [190332] 1589466311.590561: Preauth module pkinit (150) (info) returned: 0/Success
> [190332] 1589466311.590562: PKINIT client has no configured identity; giving up
> [190332] 1589466311.590563: Preauth module pkinit (16) (real) returned: 22/Invalid
> argument
> Enter OTP Token Value: [some value]
> [190351] 1589466397.815380: Preauth module otp (141) (real) returned: 0/Success
> [190351] 1589466397.815381: Produced preauth for next request: PA-FX-COOKIE (133),
> PA-OTP-REQUEST (142)
> [190351] 1589466397.815382: Encoding request body and padata into FAST request
> [190351] 1589466397.815383: Sending request (1817 bytes) to IPA.TEST
> [190351] 1589466397.815384: Initiating TCP connection to stream 1.2.3.4:88
> [190351] 1589466397.815385: Sending TCP request to stream 1.2.3.4:88
> [190351] 1589466402.829711: Received answer (553 bytes) from stream 1.2.3.4:88
> [190351] 1589466402.829712: Terminating TCP connection to stream 1.2.3.4:88
> [190351] 1589466402.829713: Response was from master KDC
> ...
>
> At this point I can see on the KDC in journal:
>
> May 14 14:26:37 master.ipa.test systemd[1]: Started ipa-otpd service (PID 188682/UID
0).
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: LDAP:
> ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: request
received
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: user query
start
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: user query
end:
> uid=foo1bar,cn=users,cn=accounts,dc=ipa,dc=test
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: radius query
start:
> cn=duo,cn=radiusproxy,dc=ipa,dc=test
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: radius query
end:
> 192.168.1.123
> May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: forward start:
foo1bar
> / 192.168.1.123
>
> I don't have actual RADIUS proxy myself so ipa-otpd will timeout trying
> to contact non-existing server, but as you can see the request comes
> through.
>
> You do need to use FAST channel wrapping when testing with 'kinit'
> because that's required for OTP communication (thus -T option to kinit).
> SSSD would handle this for you automatically:
>
> [root@master ~]# ssh -l foo1bar `hostname`
> foo1bar(a)master.ipa.test's password:
> ...
>
> will lead to the same request processing on ipa-otpd side:
>
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: LDAP:
> ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: request
received
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: user query
start
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: user query
end:
> uid=foo1bar,cn=users,cn=accounts,dc=ipa,dc=test
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: radius query
start:
> cn=duo,cn=radiusproxy,dc=ipa,dc=test
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: radius query
end:
> 192.168.1.123
> May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: forward start:
foo1bar
> / 192.168.1.123
Running a tcpdump on both the IPA server and RADIUS server show now traffic between the 2
at all when attempting to auth with the RADIUS test user.
My user output looks identical to yours, showing the radius proxy setup.
The KRB5_TRACE=/dev/stderr kinit -T KCM:0 command fails with the following
# KRB5_TRACE=/dev/stderr kinit -T KCM:0 rlong2
[17266] 1589473467.264707: Resolving unique ccache of type KCM
[17266] 1589473467.264708: Getting initial credentials for rlong2(a)IPA.DOMAIN.COM
[17266] 1589473467.264709: FAST armor ccache: KCM:0
[17266] 1589473467.264710: Retrieving admin(a)IPA.DOMAIN.COM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.DOMAIN.COM\@IPA.DOMAIN.COM(a)X-CACHECONF: from
KCM:0 with result: 0/Success
[17266] 1589473467.264711: Read config in KCM:0 for krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM:
fast_avail: yes
[17266] 1589473467.264712: Using FAST due to armor ccache negotiation result
[17266] 1589473467.264713: Getting credentials admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM using ccache KCM:0
[17266] 1589473467.264714: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: -1765328243/Matching
credential not found
[17266] 1589473467.264715: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: 0/Success
[17266] 1589473467.264716: Retrying AS request with master KDC
[17266] 1589473467.264717: Getting initial credentials for rlong2(a)IPA.DOMAIN.COM
[17266] 1589473467.264718: FAST armor ccache: KCM:0
[17266] 1589473467.264719: Retrieving admin(a)IPA.DOMAIN.COM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.DOMAIN.COM\@IPA.DOMAIN.COM(a)X-CACHECONF: from
KCM:0 with result: 0/Success
[17266] 1589473467.264720: Read config in KCM:0 for krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM:
fast_avail: yes
[17266] 1589473467.264721: Using FAST due to armor ccache negotiation result
[17266] 1589473467.264722: Getting credentials admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM using ccache KCM:0
[17266] 1589473467.264723: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: -1765328243/Matching
credential not found
[17266] 1589473467.264724: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: 0/Success
kinit: Error constructing AP-REQ armor: Ticket expired while getting initial credentials
You have expired ticket in your KCM:0 ccache.
Try first to obtain a valid ticket to use as armor in FAST, e.g. either
kinit as admin or as a host keytab:
kinit -k (for host keytab) or 'kinit admin'
and then 'kinit -T KCM:0 rlong2'
[root@master ~]# KRB5_TRACE=/dev/stderr kinit -T KCM:0 rlong2
[17269] 1589473498.188367: Resolving unique ccache of type KCM
[17269] 1589473498.188368: Getting initial credentials for rlong2(a)IPA.DOMAIN.COM
[17269] 1589473498.188369: FAST armor ccache: KCM:0
[17269] 1589473498.188370: Retrieving admin(a)IPA.DOMAIN.COM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.DOMAIN.COM\@IPA.DOMAIN.COM(a)X-CACHECONF: from
KCM:0 with result: 0/Success
[17269] 1589473498.188371: Read config in KCM:0 for krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM:
fast_avail: yes
[17269] 1589473498.188372: Using FAST due to armor ccache negotiation result
[17269] 1589473498.188373: Getting credentials admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM using ccache KCM:0
[17269] 1589473498.188374: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: -1765328243/Matching
credential not found
[17269] 1589473498.188375: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: 0/Success
[17269] 1589473498.188376: Retrying AS request with master KDC
[17269] 1589473498.188377: Getting initial credentials for rlong2(a)IPA.DOMAIN.COM
[17269] 1589473498.188378: FAST armor ccache: KCM:0
[17269] 1589473498.188379: Retrieving admin(a)IPA.DOMAIN.COM ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.DOMAIN.COM\@IPA.DOMAIN.COM(a)X-CACHECONF: from
KCM:0 with result: 0/Success
[17269] 1589473498.188380: Read config in KCM:0 for krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM:
fast_avail: yes
[17269] 1589473498.188381: Using FAST due to armor ccache negotiation result
[17269] 1589473498.188382: Getting credentials admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM using ccache KCM:0
[17269] 1589473498.188383: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: -1765328243/Matching
credential not found
[17269] 1589473498.188384: Retrieving admin(a)IPA.DOMAIN.COM ->
krbtgt/IPA.DOMAIN.COM(a)IPA.DOMAIN.COM from KCM:0 with result: 0/Success
kinit: Error constructing AP-REQ armor: Ticket expired while getting initial credentials
I just double checked with firewalls off to ensure there wasn't some strangeness
happening there, and I still get the same behavior.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland