Hello List,
I'd really appreciate some insight here. I've setup FreeIpa POC (centos7, freeipa 4.7, two freeipa servers as multimaster along with some clients). Added OTP's for several users and made it work with RADIUS for vpn access authentication purpose. Next, I've added AD trust and I am able to log in as AD user. All groovy. Now I'd like to enforce MFA for AD users by adding OTP tokens for them. Is it possible at all? Since AD user authenticates against AD, shouldn't it be AD who provides MFA?
FreeIPA behaves strangely when it comes to AD users (mapped via external group and POSIX group): AD user 'ipatest' is visible with 'id' command (and has it's own UID GID and so on) but cannot be found via 'ipa user-find' command even with specific UID provided:
admin@ipa-poc-1 ~ $ id ipatest@lab.trusteddomain.com uid=748801177(ipatest@lab.trusteddomain.com) gid=748801177(ipatest@lab.trusteddomain.com) groups=748801177(ipatest@lab.trusteddomain.com),748800513(domain users@lab.trusteddomain.com),748801180(linuxusers@lab.trusteddomain.com),793600008(ad_users)
admin@ipa-poc-1 ~ $ ipa user-find ipatest --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@lab.trusteddomain.com --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@TRUSTEDOMAIN-LAB --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0
admin@ipa-poc-1 ~ $ ipa user-find uid=748801177 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- I reckon it is due to the one-way trust with AD domain but not sure here. Since "ipa otptoken-add' command requires 'owner' parameter (type string and doesn't work with UID) I cannot add OTP token for this user.
Another approach I've tried (since ipa otptoken-add command by default uses current user as owner) was to log on as AD user and create OTP token 'for myself', but it didn't work either:
ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ kinit ipatest@lab.trusteddomain.com Password for ipatest@lab.trusteddomain.com: ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ ipa otptoken-add --type='TOTP' ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa-poc-1.lab/ipa/json, https://ipa-poc-2.lab/ipa/json So, to make it short:
Is it possible to add OTP token to external AD user? How to do it? rgrds
M.
On pe, 19 helmi 2021, Mariusz Stysiak via FreeIPA-users wrote:
Hello List,
I'd really appreciate some insight here. I've setup FreeIpa POC (centos7, freeipa 4.7, two freeipa servers as multimaster along with some clients). Added OTP's for several users and made it work with RADIUS for vpn access authentication purpose. Next, I've added AD trust and I am able to log in as AD user. All groovy. Now I'd like to enforce MFA for AD users by adding OTP tokens for them. Is it possible at all? Since AD user authenticates against AD, shouldn't it be AD who provides MFA?
Authentication of trusted Active Directory users is done by Active Directory domain controllers, not IdM. Microsoft implementation of Active Directory does not support 2FA on Kerberos level and as such it is not possible to use the same technology as described in RFC 6560 with Active Directory users.
We used to have https://bugzilla.redhat.com/show_bug.cgi?id=1195696 RFE that tracks *some* sort of a solution to the problem. However, it is not going to be achieved anytime soon and thus was closed until a work in upstream communities gets to the point that it could be productised.
Documentation explicitly says OTP are not supported for AD users. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
FreeIPA behaves strangely when it comes to AD users (mapped via external group and POSIX group): AD user 'ipatest' is visible with 'id' command (and has it's own UID GID and so on) but cannot be found via 'ipa user-find' command even with specific UID provided:
AD users exist in AD, not in IPA.
admin@ipa-poc-1 ~ $ id ipatest@lab.trusteddomain.com uid=748801177(ipatest@lab.trusteddomain.com) gid=748801177(ipatest@lab.trusteddomain.com) groups=748801177(ipatest@lab.trusteddomain.com),748800513(domain users@lab.trusteddomain.com),748801180(linuxusers@lab.trusteddomain.com),793600008(ad_users)
admin@ipa-poc-1 ~ $ ipa user-find ipatest
0 users matched
Number of entries returned 0
admin@ipa-poc-1 ~ $ ipa user-find ipatest@lab.trusteddomain.com
0 users matched
Number of entries returned 0
admin@ipa-poc-1 ~ $ ipa user-find ipatest@TRUSTEDOMAIN-LAB
0 users matched
Number of entries returned 0
admin@ipa-poc-1 ~ $ ipa user-find uid=748801177
0 users matched
Number of entries returned 0
I reckon it is due to the one-way trust with AD domain but not sure here. Since "ipa otptoken-add' command requires 'owner' parameter (type string and doesn't work with UID) I cannot add OTP token for this user.
Another approach I've tried (since ipa otptoken-add command by default uses current user as owner) was to log on as AD user and create OTP token 'for myself', but it didn't work either:
ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ kinit ipatest@lab.trusteddomain.com Password for ipatest@lab.trusteddomain.com: ipatest@lab.trusteddomain.com@ipa-poc-1 ~ $ ipa otptoken-add --type='TOTP' ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa-poc-1.lab/ipa/json, https://ipa-poc-2.lab/ipa/json So, to make it short:
Is it possible to add OTP token to external AD user? How to do it? rgrds
M. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Alexander, Thank you for your prompt and informative answer, it cleared my last doubts. Two other questions come to my mind: 1. Is it possible to enforce two-step auth for AD users (first step being AD authentication, second OTP used by freeipa)? 2. Except kerberos-based MFA are there any other ways to achieve this goal (AD users being able to log on Linux machines with 2FA)? Things like PBIS use something, I guess? Couldn't something similar be used here?
Regards M.
First idea is to use regular google auth mounted with autofs to AD user homedir (so you use same token on every server). Will give it a try.
On ma, 22 helmi 2021, Mariusz Stysiak via FreeIPA-users wrote:
Alexander, Thank you for your prompt and informative answer, it cleared my last doubts. Two other questions come to my mind:
- Is it possible to enforce two-step auth for AD users (first step
being AD authentication, second OTP used by freeipa)?
Not on Kerberos level.
- Except kerberos-based MFA are there any other ways to achieve this
goal (AD users being able to log on Linux machines with 2FA)? Things like PBIS use something, I guess? Couldn't something similar be used here?
SSH has means to require multiple authentication methods at the same time. This can be used to 'emulate' such multi-factor access. This was asked several times in past, archives are useful too. ;)
See, for example, https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Mariusz Stysiak