On to, 14 touko 2020, Russ Long via FreeIPA-users wrote:
> On to, 14 touko 2020, Russ Long via FreeIPA-users wrote:
>
> Did you associate the radiusproxy 'duo' with the user?
>
> E.g.
>
> ipa user-mod foobar --radius duo
>
> ?
>
> You might have multiple RADIUS proxies and they would need to be
> explicitly connected with the user account.
Yes, I did associate the proxy with the user, sorry forgot to mention that.
Thing is, it starts working for me immediately when I get the proxy
associated with the user.
[root@master ~]# ipa user-add foo1bar
First name: Foo1
Last name: Bar
--------------------
Added user "foo1bar"
--------------------
User login: foo1bar
First name: Foo1
Last name: Bar
Full name: Foo1 Bar
Display name: Foo1 Bar
Initials: FB
Home directory: /home/foo1bar
GECOS: Foo1 Bar
Login shell: /bin/sh
Principal name: foo1bar(a)IPA.TEST
Principal alias: foo1bar(a)IPA.TEST
Email address: foo1bar(a)ipa.test
UID: 1908200007
GID: 1908200007
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# ipa user-mod foo1bar --radius duo
-----------------------
Modified user "foo1bar"
-----------------------
User login: foo1bar
First name: Foo1
Last name: Bar
Home directory: /home/foo1bar
Login shell: /bin/sh
Principal name: foo1bar(a)IPA.TEST
Principal alias: foo1bar(a)IPA.TEST
Email address: foo1bar(a)ipa.test
UID: 1908200007
GID: 1908200007
RADIUS proxy configuration: duo
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
[root@master ~]# kinit -k
[root@master ~]# KRB5_TRACE=/dev/stderr kinit -T KCM:0 foo1bar
[190332] 1589466311.590529: Resolving unique ccache of type KCM
[190332] 1589466311.590530: Getting initial credentials for foo1bar(a)IPA.TEST
[190332] 1589466311.590531: FAST armor ccache: KCM:0
[190332] 1589466311.590532: Retrieving host/master.ipa.test(a)IPA.TEST ->
krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.TEST\@IPA.TEST(a)X-CACHECONF: from KCM:0 with
result: 0/Success
[190332] 1589466311.590533: Read config in KCM:0 for krbtgt/IPA.TEST(a)IPA.TEST: fast_avail:
yes
[190332] 1589466311.590534: Using FAST due to armor ccache negotiation result
[190332] 1589466311.590535: Getting credentials host/master.ipa.test(a)IPA.TEST ->
krbtgt/IPA.TEST(a)IPA.TEST using ccache KCM:0
[190332] 1589466311.590536: Retrieving host/master.ipa.test(a)IPA.TEST ->
krbtgt/IPA.TEST(a)IPA.TEST from KCM:0 with result: 0/Success
[190332] 1589466311.590537: Armor ccache sesion key: aes256-cts/3E96
[190332] 1589466311.590539: Creating authenticator for host/master.ipa.test(a)IPA.TEST ->
krbtgt/IPA.TEST(a)IPA.TEST, seqnum 0, subkey aes256-cts/86B1, session key aes256-cts/3E96
[190332] 1589466311.590541: FAST armor key: aes256-cts/1B67
[190332] 1589466311.590543: Sending unauthenticated request
[190332] 1589466311.590544: Encoding request body and padata into FAST request
[190332] 1589466311.590545: Sending request (1681 bytes) to IPA.TEST
[190332] 1589466311.590546: Initiating TCP connection to stream 1.2.3.4:88
[190332] 1589466311.590547: Sending TCP request to stream 1.2.3.4:88
[190332] 1589466311.590548: Received answer (553 bytes) from stream 1.2.3.4:88
[190332] 1589466311.590549: Terminating TCP connection to stream 1.2.3.4:88
[190332] 1589466311.590550: Response was from master KDC
[190332] 1589466311.590551: Received error from KDC: -1765328359/Additional
pre-authentication required
[190332] 1589466311.590552: Decoding FAST response
[190332] 1589466311.590555: Preauthenticating using KDC method data
[190332] 1589466311.590556: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136),
PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133),
PA-FX-ERROR (137)
[190332] 1589466311.590557: Received cookie: MIT
[190332] 1589466311.590558: PKINIT client has no configured identity; giving up
[190332] 1589466311.590559: Preauth module pkinit (147) (info) returned: 0/Success
[190332] 1589466311.590560: PKINIT client received freshness token from KDC
[190332] 1589466311.590561: Preauth module pkinit (150) (info) returned: 0/Success
[190332] 1589466311.590562: PKINIT client has no configured identity; giving up
[190332] 1589466311.590563: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
Enter OTP Token Value: [some value]
[190351] 1589466397.815380: Preauth module otp (141) (real) returned: 0/Success
[190351] 1589466397.815381: Produced preauth for next request: PA-FX-COOKIE (133),
PA-OTP-REQUEST (142)
[190351] 1589466397.815382: Encoding request body and padata into FAST request
[190351] 1589466397.815383: Sending request (1817 bytes) to IPA.TEST
[190351] 1589466397.815384: Initiating TCP connection to stream 1.2.3.4:88
[190351] 1589466397.815385: Sending TCP request to stream 1.2.3.4:88
[190351] 1589466402.829711: Received answer (553 bytes) from stream 1.2.3.4:88
[190351] 1589466402.829712: Terminating TCP connection to stream 1.2.3.4:88
[190351] 1589466402.829713: Response was from master KDC
...
At this point I can see on the KDC in journal:
May 14 14:26:37 master.ipa.test systemd[1]: Started ipa-otpd service (PID 188682/UID 0).
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: LDAP:
ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: request received
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: user query start
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: user query end:
uid=foo1bar,cn=users,cn=accounts,dc=ipa,dc=test
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: radius query start:
cn=duo,cn=radiusproxy,dc=ipa,dc=test
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: radius query end:
192.168.1.123
May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: forward start: foo1bar
/ 192.168.1.123
I don't have actual RADIUS proxy myself so ipa-otpd will timeout trying
to contact non-existing server, but as you can see the request comes
through.
You do need to use FAST channel wrapping when testing with 'kinit'
because that's required for OTP communication (thus -T option to kinit).
SSSD would handle this for you automatically:
[root@master ~]# ssh -l foo1bar `hostname`
foo1bar(a)master.ipa.test's password:
...
will lead to the same request processing on ipa-otpd side:
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: LDAP:
ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: request received
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: user query start
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: user query end:
uid=foo1bar,cn=users,cn=accounts,dc=ipa,dc=test
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: radius query start:
cn=duo,cn=radiusproxy,dc=ipa,dc=test
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: radius query end:
192.168.1.123
May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: forward start: foo1bar
/ 192.168.1.123
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland