Hello !
I contact you because I encounter a problem when I use kpasswd using python popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have more logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for test_user@MYREALM [47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation result [47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to kadmin/changepw [47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation result [47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC: -1765328359/Additional pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, 137 [47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM: [47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, 133, 137 kpasswd: Preauthentication failed getting initial ticket
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ? Is there a way to use ipa python library to perform a kpasswd instead of popen of kpasswd command ?
Best regards.
Lune
On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
Hello !
I contact you because I encounter a problem when I use kpasswd using python popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
Here you provide otp (what is this? A 2FA token value?), password and password.
cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have more logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for test_user@MYREALM [47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation result [47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to kadmin/changepw [47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation result [47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC: -1765328359/Additional pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, 137 [47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM:
Here you are asked for a password.
[47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, 133, 137 kpasswd: Preauthentication failed getting initial ticket
And your password (what kpasswd uses as a password) is incorrect (to what KDC considers you have as a password).
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ?
Try first to get this working interactively.
Is there a way to use ipa python library to perform a kpasswd instead of popen of kpasswd command ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Hello Alexander.
Thanks for the answer.
Otp stands for one time password.
In fact in order to set a password for a user, I do first a ipa passwd using ipa python library.
The otp is good normally.
And the kpasswd password should be good also except if ipa kdc dont like some special characters ?
Lune.
Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
Hello !
I contact you because I encounter a problem when I use kpasswd using
python
popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
Here you provide otp (what is this? A 2FA token value?), password and password.
cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have more logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for
test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to
kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC: -1765328359/Additional pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133,
137
[47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM:
Here you are asked for a password.
[47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138,
133,
137 kpasswd: Preauthentication failed getting initial ticket
And your password (what kpasswd uses as a password) is incorrect (to what KDC considers you have as a password).
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ?
Try first to get this working interactively.
Is there a way to use ipa python library to perform a kpasswd instead of popen of kpasswd command ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 04 heinä 2018, lune voo wrote:
Hello Alexander.
Thanks for the answer.
Otp stands for one time password.
In fact in order to set a password for a user, I do first a ipa passwd using ipa python library.
So, your code is equivalent to
kinit admin ipa passwd test-user kpasswd test-user
?
I.e. there is no 2FA involved and what you call 'otp' is only reflecting the fact that any non-user-initiated password change forces that user to change their password, so 'ipa passwd test-user' as admin means 'test-user' password has to be changed and becomes effectively a one time password set by admin.
Is that a correct assessment?
The otp is good normally.
Can you demonstrate things not working in a console, interactively?
And the kpasswd password should be good also except if ipa kdc dont like some special characters ?
There is no limits on what Kerberos KDC considers a 'password' as that could be a bunch of random bytes.
Lune.
Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
Hello !
I contact you because I encounter a problem when I use kpasswd using
python
popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
Here you provide otp (what is this? A 2FA token value?), password and password.
cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have more logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for
test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to
kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC: -1765328359/Additional pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133,
137
[47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM:
Here you are asked for a password.
[47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138,
133,
137 kpasswd: Preauthentication failed getting initial ticket
And your password (what kpasswd uses as a password) is incorrect (to what KDC considers you have as a password).
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ?
Try first to get this working interactively.
Is there a way to use ipa python library to perform a kpasswd instead of popen of kpasswd command ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
I will try to reproduce the problem interactively in python.
Lune
Le mer. 4 juil. 2018 à 07:20, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ke, 04 heinä 2018, lune voo wrote:
Hello Alexander.
Thanks for the answer.
Otp stands for one time password.
In fact in order to set a password for a user, I do first a ipa passwd using ipa python library.
So, your code is equivalent to
kinit admin ipa passwd test-user kpasswd test-user
?
I.e. there is no 2FA involved and what you call 'otp' is only reflecting the fact that any non-user-initiated password change forces that user to change their password, so 'ipa passwd test-user' as admin means 'test-user' password has to be changed and becomes effectively a one time password set by admin.
Is that a correct assessment?
The otp is good normally.
Can you demonstrate things not working in a console, interactively?
And the kpasswd password should be good also except if ipa kdc dont like some special characters ?
There is no limits on what Kerberos KDC considers a 'password' as that could be a bunch of random bytes.
Lune.
Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
Hello !
I contact you because I encounter a problem when I use kpasswd using
python
popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
Here you provide otp (what is this? A 2FA token value?), password and password.
cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have
more
logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for
test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to
kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC:
-1765328359/Additional
pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133,
137
[47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM:
Here you are asked for a password.
[47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138,
133,
137 kpasswd: Preauthentication failed getting initial ticket
And your password (what kpasswd uses as a password) is incorrect (to what KDC considers you have as a password).
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ?
Try first to get this working interactively.
Is there a way to use ipa python library to perform a kpasswd instead
of
popen of kpasswd command ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 04 heinä 2018, lune voo via FreeIPA-users wrote:
I will try to reproduce the problem interactively in python.
I meant in shell, to rule out any issues outside your python code.
Lune
Le mer. 4 juil. 2018 à 07:20, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ke, 04 heinä 2018, lune voo wrote:
Hello Alexander.
Thanks for the answer.
Otp stands for one time password.
In fact in order to set a password for a user, I do first a ipa passwd using ipa python library.
So, your code is equivalent to
kinit admin ipa passwd test-user kpasswd test-user
?
I.e. there is no 2FA involved and what you call 'otp' is only reflecting the fact that any non-user-initiated password change forces that user to change their password, so 'ipa passwd test-user' as admin means 'test-user' password has to be changed and becomes effectively a one time password set by admin.
Is that a correct assessment?
The otp is good normally.
Can you demonstrate things not working in a console, interactively?
And the kpasswd password should be good also except if ipa kdc dont like some special characters ?
There is no limits on what Kerberos KDC considers a 'password' as that could be a bunch of random bytes.
Lune.
Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
Hello !
I contact you because I encounter a problem when I use kpasswd using
python
popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
Here you provide otp (what is this? A 2FA token value?), password and password.
cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have
more
logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for
test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to
kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC:
-1765328359/Additional
pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133,
137
[47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM:
Here you are asked for a password.
[47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138,
133,
137 kpasswd: Preauthentication failed getting initial ticket
And your password (what kpasswd uses as a password) is incorrect (to what KDC considers you have as a password).
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ?
Try first to get this working interactively.
Is there a way to use ipa python library to perform a kpasswd instead
of
popen of kpasswd command ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: ${hyperkitty_url}
Hello Alexander.
I tried to reproduce the error with standard command ipa passwd and kpasswd in a shell. I was not able to reproduce the problem (even by using the same passwords).
I also performed another test in python. I added a loop to retry the kpasswd if it fails with this kind of errors. If the kpasswd fails with this error, I also added an ipa user-unlock to prevent the user to be locked. For the ipa user-unlock, I also uses the ipa python library. It works at the fourth iteration, but the three first times, it fails with the error I mentioned before.
Here is the logs I wrote about that : (don't worry about the credentials, this is a test user that I removed just after my command) ### 2018-07-03 17:12:36,235;INFO;BEGIN 2018-07-03 17:12:36,235;INFO;Creating user login test_user 2018-07-03 17:12:36,235;INFO;Creating IPA account... 2018-07-03 17:12:45,127;INFO;Generating and setting password for the login test_user... 2018-07-03 17:12:45,276;INFO;ipa passwd for user test_user has ended with the following summary : Changed password for "test_user@MYREALM" 2018-07-03 17:12:45,280;INFO;login = test_user, one_time_password = Kk)4YIRq, password = fJ6f4%(5 2018-07-03 17:12:45,503;INFO;1st kpasswd try 2018-07-03 17:12:45,503;INFO;kpasswd stdout : [47695] 1530630765.283620: Getting initial credentials for test_user@MYREALM [47695] 1530630765.283766: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47695] 1530630765.283812: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.283818: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47695] 1530630765.283821: Using FAST due to armor ccache negotiation result [47695] 1530630765.283831: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47695] 1530630765.283862: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.283882: Armor ccache sesion key: aes256-cts/2559 [47695] 1530630765.283914: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2FB3, session key aes256-cts/2559 [47695] 1530630765.284000: FAST armor key: aes256-cts/552F [47695] 1530630765.284013: Setting initial creds service to kadmin/changepw [47695] 1530630765.284018: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47695] 1530630765.284043: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.284046: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47695] 1530630765.284048: Using FAST due to armor ccache negotiation result [47695] 1530630765.284055: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47695] 1530630765.284076: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.284082: Armor ccache sesion key: aes256-cts/2559 [47695] 1530630765.284094: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7296, session key aes256-cts/2559 [47695] 1530630765.284126: FAST armor key: aes256-cts/1070 [47695] 1530630765.284139: Encoding request body and padata into FAST request [47695] 1530630765.284176: Sending request (1019 bytes) to MYREALM [47695] 1530630765.284263: Resolving hostname ipamasterhostname [47695] 1530630765.284544: Initiating TCP connection to stream ipamasterIP:88 [47695] 1530630765.284711: Sending TCP request to stream ipamasterIP:88 [47695] 1530630765.468306: Received answer from stream ipamasterIP:88 [47695] 1530630765.468362: Response was from master KDC [47695] 1530630765.468390: Received error from KDC: -1765328359/Additional pre-authentication required [47695] 1530630765.468402: Decoding FAST response [47695] 1530630765.468470: Processing preauth types: 136, 19, 138, 133, 137 [47695] 1530630765.468478: Received cookie: MIT Password for test_user@MYREALM: [47695] 1530630765.476399: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47695] 1530630765.476404: Produced preauth for next request: 133, 138 [47695] 1530630765.476407: Encoding request body and padata into FAST request [47695] 1530630765.476470: Sending request (1118 bytes) to MYREALM [47695] 1530630765.476489: Resolving hostname ipamasterhostname [47695] 1530630765.476657: Initiating TCP connection to stream ipamasterIP:88 [47695] 1530630765.476763: Sending TCP request to stream ipamasterIP:88 [47695] 1530630765.503131: Received answer from stream ipamasterIP:88 [47695] 1530630765.503185: Response was from master KDC [47695] 1530630765.503212: Received error from KDC: -1765328360/Preauthentication failed [47695] 1530630765.503216: Decoding FAST response [47695] 1530630765.503265: Preauth tryagain input types: 136, 19, 138, 133, 137 kpasswd: Preauthentication failed getting initial ticket
) 2018-07-03 17:12:45,504;INFO;sortie err cmd : None) 2018-07-03 17:12:45,607;INFO;Action 'user-unlock' for user test_user ended with the following summary : Unlocked account " test_user" 2018-07-03 17:12:45,608;INFO;login = test_user, one_time_password = Kk)4YIRq, password = fJ6f4%(5 2018-07-03 17:12:45,503;INFO;2nd kpasswd try 2018-07-03 17:12:45,756;INFO;kpasswd stdout : [47700] 1530630765.610794: Getting initial credentials for test_user@MYREALM [47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation result [47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to kadmin/changepw [47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation result [47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC: -1765328359/Additional pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133, 137 [47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM: [47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133, 138 [47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88 [47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138, 133, 137 kpasswd: Preauthentication failed getting initial ticket
) 2018-07-03 17:12:45,757;INFO;sortie err cmd : None) 2018-07-03 17:12:45,863;INFO;login = test_user, one_time_password = Kk)4YIRq, password = fJ6f4%(5 2018-07-03 17:12:45,503;INFO;3rd kpasswd try 2018-07-03 17:12:45,963;INFO;kpasswd stdout : [47711] 1530630765.866915: Getting initial credentials for test_user@MYREALM [47711] 1530630765.867035: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47711] 1530630765.867075: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47711] 1530630765.867081: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47711] 1530630765.867083: Using FAST due to armor ccache negotiation result [47711] 1530630765.867093: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47711] 1530630765.867123: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47711] 1530630765.867144: Armor ccache sesion key: aes256-cts/2559 [47711] 1530630765.867171: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/AD04, session key aes256-cts/2559 [47711] 1530630765.867244: FAST armor key: aes256-cts/D781 [47711] 1530630765.867255: Setting initial creds service to kadmin/changepw [47711] 1530630765.867260: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47711] 1530630765.867286: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47711] 1530630765.867289: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47711] 1530630765.867291: Using FAST due to armor ccache negotiation result [47711] 1530630765.867298: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47711] 1530630765.867320: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47711] 1530630765.867326: Armor ccache sesion key: aes256-cts/2559 [47711] 1530630765.867337: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/5503, session key aes256-cts/2559 [47711] 1530630765.867368: FAST armor key: aes256-cts/6759 [47711] 1530630765.867379: Encoding request body and padata into FAST request [47711] 1530630765.867413: Sending request (1019 bytes) to MYREALM [47711] 1530630765.867490: Resolving hostname ipamasterhostname [47711] 1530630765.867714: Initiating TCP connection to stream ipamasterIP:88 [47711] 1530630765.867854: Sending TCP request to stream ipamasterIP:88 [47711] 1530630765.895839: Received answer from stream ipamasterIP:88 [47711] 1530630765.895877: Response was from master KDC [47711] 1530630765.895920: Received error from KDC: -1765328359/Additional pre-authentication required [47711] 1530630765.895944: Decoding FAST response [47711] 1530630765.896007: Processing preauth types: 136, 19, 138, 133, 137 [47711] 1530630765.896016: Received cookie: MIT Password for test_user@MYREALM: [47711] 1530630765.903391: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47711] 1530630765.903395: Produced preauth for next request: 133, 138 [47711] 1530630765.903397: Encoding request body and padata into FAST request [47711] 1530630765.903444: Sending request (1118 bytes) to MYREALM [47711] 1530630765.903458: Resolving hostname ipamasterhostname [47711] 1530630765.903578: Initiating TCP connection to stream ipamasterIP:88 [47711] 1530630765.903702: Sending TCP request to stream ipamasterIP:88 [47711] 1530630765.963169: Received answer from stream ipamasterIP:88 [47711] 1530630765.963218: Response was from master KDC [47711] 1530630765.963230: Received error from KDC: -1765328360/Preauthentication failed [47711] 1530630765.963234: Decoding FAST response [47711] 1530630765.963268: Preauth tryagain input types: 136, 19, 138, 133, 137 kpasswd: Preauthentication failed getting initial ticket
) 2018-07-03 17:12:45,964;INFO;sortie err cmd : None) 2018-07-03 17:12:46,072;INFO;Action 'user-unlock' for user test_user ended with the following summary : Unlocked account " test_user" 2018-07-03 17:12:46,072;INFO;login = test_user, one_time_password = Kk)4YIRq, password = fJ6f4%(5 2018-07-03 17:12:45,503;INFO;4th kpasswd try 2018-07-03 17:12:46,294;INFO;kpasswd stdout : [47717] 1530630766.75265: Getting initial credentials for test_user@MYREALM [47717] 1530630766.75375: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47717] 1530630766.75413: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47717] 1530630766.75418: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47717] 1530630766.75420: Using FAST due to armor ccache negotiation result [47717] 1530630766.75430: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47717] 1530630766.75456: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47717] 1530630766.75471: Armor ccache sesion key: aes256-cts/2559 [47717] 1530630766.75497: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/0E9B, session key aes256-cts/2559 [47717] 1530630766.75567: FAST armor key: aes256-cts/99B6 [47717] 1530630766.75578: Setting initial creds service to kadmin/changepw [47717] 1530630766.75582: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47717] 1530630766.75606: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47717] 1530630766.75610: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47717] 1530630766.75611: Using FAST due to armor ccache negotiation result [47717] 1530630766.75617: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47717] 1530630766.75641: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47717] 1530630766.75647: Armor ccache sesion key: aes256-cts/2559 [47717] 1530630766.75672: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/CC46, session key aes256-cts/2559 [47717] 1530630766.75706: FAST armor key: aes256-cts/CC9E [47717] 1530630766.75717: Encoding request body and padata into FAST request [47717] 1530630766.75753: Sending request (1019 bytes) to MYREALM [47717] 1530630766.75829: Resolving hostname ipamasterhostname [47717] 1530630766.75968: Initiating TCP connection to stream ipamasterIP:88 [47717] 1530630766.76081: Sending TCP request to stream ipamasterIP:88 [47717] 1530630766.131982: Received answer from stream ipamasterIP:88 [47717] 1530630766.132069: Response was from master KDC [47717] 1530630766.132108: Received error from KDC: -1765328359/Additional pre-authentication required [47717] 1530630766.132120: Decoding FAST response [47717] 1530630766.132198: Processing preauth types: 136, 19, 138, 133, 137 [47717] 1530630766.132209: Selected etype info: etype aes256-cts, salt ")(DFnJ,r6Rx!Y#'D", params "" [47717] 1530630766.132212: Received cookie: MIT Password for test_user@MYREALM: [47717] 1530630766.139327: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47717] 1530630766.139330: Produced preauth for next request: 133, 138 [47717] 1530630766.139333: Encoding request body and padata into FAST request [47717] 1530630766.139384: Sending request (1118 bytes) to MYREALM [47717] 1530630766.139396: Resolving hostname ipamasterhostname [47717] 1530630766.139522: Initiating TCP connection to stream ipamasterIP:88 [47717] 1530630766.139645: Sending TCP request to stream ipamasterIP:88 [47717] 1530630766.211079: Received answer from stream ipamasterIP:88 [47717] 1530630766.211157: Response was from master KDC [47717] 1530630766.211190: Decoding FAST response [47717] 1530630766.211299: Processing preauth types: 19, 138 [47717] 1530630766.211310: Selected etype info: etype aes256-cts, salt ")(DFnJ,r6Rx!Y#'D", params "" [47717] 1530630766.211380: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47717] 1530630766.211396: Produced preauth for next request: (empty) [47717] 1530630766.211400: AS key determined by preauth: aes256-cts/23C9 [47717] 1530630766.211412: FAST reply key: aes256-cts/9E0D [47717] 1530630766.211432: Decrypted AS reply; session key is: aes256-cts/2BAA [47717] 1530630766.211443: FAST negotiation: available
Enter new password: Enter it again: [47717] 1530630766.211515: Creating authenticator for test_user@MYREALM -> kadmin/changepw@MYREALM, seqnum 0, subkey aes256-cts/BC7C, session key aes256-cts/2BAA [47717] 1530630766.211555: Resolving hostname ipamasterhostname [47717] 1530630766.211748: Sending initial UDP request to dgram ipamasterIP:464 [47717] 1530630766.293996: Received answer from dgram ipamasterIP:464 [47717] 1530630766.294064: Read AP-REP, time 1530630766.211518, subkey aes256-cts/BC7C, seqnum 202122897
Password changed. ) 2018-07-03 17:12:46,294;INFO;sortie err cmd : None) 2018-07-03 17:12:46,294;INFO;END ###
What do you think about this please ?
BR.
Lune
2018-07-04 7:55 GMT+02:00 Alexander Bokovoy abokovoy@redhat.com:
On ke, 04 heinä 2018, lune voo via FreeIPA-users wrote:
I will try to reproduce the problem interactively in python.
I meant in shell, to rule out any issues outside your python code.
Lune
Le mer. 4 juil. 2018 à 07:20, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ke, 04 heinä 2018, lune voo wrote:
Hello Alexander.
Thanks for the answer.
Otp stands for one time password.
In fact in order to set a password for a user, I do first a ipa passwd using ipa python library.
So, your code is equivalent to
kinit admin ipa passwd test-user kpasswd test-user
?
I.e. there is no 2FA involved and what you call 'otp' is only reflecting the fact that any non-user-initiated password change forces that user to change their password, so 'ipa passwd test-user' as admin means 'test-user' password has to be changed and becomes effectively a one time password set by admin.
Is that a correct assessment?
The otp is good normally.
Can you demonstrate things not working in a console, interactively?
And the kpasswd password should be good also except if ipa kdc dont like some special characters ?
There is no limits on what Kerberos KDC considers a 'password' as that could be a bunch of random bytes.
Lune.
Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy abokovoy@redhat.com a écrit :
On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
Hello !
I contact you because I encounter a problem when I use kpasswd using
python
popen function. I use freeipa 3.0 and python 2.6.6.
Here is what I do in python :
input_process = otp + '\n' + password + '\n' + password
Here you provide otp (what is this? A 2FA token value?), password and password.
cmd = 'kpasswd %s' % user_login cmd_and_args = shlex.split(cmd) p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT) (output, error) = p.communicate(input=input_process)
Before doing that, I performed the following command in order to have
more
logs : export KRB5_TRACE=/dev/stdout
And here is what I see in the logs : ### [47700] 1530630765.610794: Getting initial credentials for
test_user@MYREALM
[47700] 1530630765.610945: FAST armor ccache:
FILE:/tmp/krb5cc_testuser
[47700] 1530630765.610998: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@
X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser
for
krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611006: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611016: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611044: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611089: Creating authenticator for admin@MYREALM
->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session
key
aes256-cts/2559 [47700] 1530630765.611168: FAST armor key: aes256-cts/79AB [47700] 1530630765.611179: Setting initial creds service to
kadmin/changepw
[47700] 1530630765.611184: FAST armor ccache:
FILE:/tmp/krb5cc_testuser
[47700] 1530630765.611208: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@
X-CACHECONF:
from
FILE:/tmp/krb5cc_testuser with result: 0/Success [47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser
for
krbtgt/MYREALM@MYREALM: fast_avail: yes [47700] 1530630765.611213: Using FAST due to armor ccache negotiation
result
[47700] 1530630765.611219: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47700] 1530630765.611240: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
0/Success
[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559 [47700] 1530630765.611256: Creating authenticator for admin@MYREALM
->
krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session
key
aes256-cts/2559 [47700] 1530630765.611288: FAST armor key: aes256-cts/62C4 [47700] 1530630765.611299: Encoding request body and padata into FAST request [47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM [47700] 1530630765.611418: Resolving hostname ipamasterhostname [47700] 1530630765.611608: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.611769: Sending TCP request to stream
ipamasterIP:88
[47700] 1530630765.675154: Received answer from stream ipamasterIP:88 [47700] 1530630765.675208: Response was from master KDC [47700] 1530630765.675238: Received error from KDC:
-1765328359/Additional
pre-authentication required [47700] 1530630765.675249: Decoding FAST response [47700] 1530630765.675311: Processing preauth types: 136, 19, 138,
133,
137
[47700] 1530630765.675319: Received cookie: MIT Password for test_user@MYREALM:
Here you are asked for a password.
[47700] 1530630765.682884: Preauth module encrypted_challenge (138) (flags=1) returned: 0/Success [47700] 1530630765.682889: Produced preauth for next request: 133,
138
[47700] 1530630765.682891: Encoding request body and padata into FAST request [47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM [47700] 1530630765.682967: Resolving hostname ipamasterhostname [47700] 1530630765.683098: Initiating TCP connection to stream ipamasterIP:88 [47700] 1530630765.683180: Sending TCP request to stream
ipamasterIP:88
[47700] 1530630765.756232: Received answer from stream ipamasterIP:88 [47700] 1530630765.756302: Response was from master KDC [47700] 1530630765.756321: Received error from KDC: -1765328360/Preauthentication failed [47700] 1530630765.756325: Decoding FAST response [47700] 1530630765.756376: Preauth tryagain input types: 136, 19,
138,
133,
137 kpasswd: Preauthentication failed getting initial ticket
And your password (what kpasswd uses as a password) is incorrect (to what KDC considers you have as a password).
) ###
I don't understand yet why the commande kpasswd is failing ?
My ticket admin is good. My ticket cache is used only by me.
May you help me to understand what is going on please ?
Try first to get this working interactively.
Is there a way to use ipa python library to perform a kpasswd instead
of
popen of kpasswd command ?
Best regards.
Lune
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@ lists.fedorahosted.org/message/3RC6MOLZNN2QIOXPZ6SMHPT53KDXEGAO/
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: ${hyperkitty_url}
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ke, 04 heinä 2018, lune voo via FreeIPA-users wrote:
Hello Alexander.
I tried to reproduce the error with standard command ipa passwd and kpasswd in a shell. I was not able to reproduce the problem (even by using the same passwords).
I also performed another test in python. I added a loop to retry the kpasswd if it fails with this kind of errors. If the kpasswd fails with this error, I also added an ipa user-unlock to prevent the user to be locked. For the ipa user-unlock, I also uses the ipa python library. It works at the fourth iteration, but the three first times, it fails with the error I mentioned before.
Here is the logs I wrote about that : (don't worry about the credentials, this is a test user that I removed just after my command) ### 2018-07-03 17:12:36,235;INFO;BEGIN 2018-07-03 17:12:36,235;INFO;Creating user login test_user 2018-07-03 17:12:36,235;INFO;Creating IPA account... 2018-07-03 17:12:45,127;INFO;Generating and setting password for the login test_user... 2018-07-03 17:12:45,276;INFO;ipa passwd for user test_user has ended with the following summary : Changed password for "test_user@MYREALM" 2018-07-03 17:12:45,280;INFO;login = test_user, one_time_password = Kk)4YIRq, password = fJ6f4%(5 2018-07-03 17:12:45,503;INFO;1st kpasswd try 2018-07-03 17:12:45,503;INFO;kpasswd stdout : [47695] 1530630765.283620: Getting initial credentials for test_user@MYREALM [47695] 1530630765.283766: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47695] 1530630765.283812: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.283818: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47695] 1530630765.283821: Using FAST due to armor ccache negotiation result [47695] 1530630765.283831: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47695] 1530630765.283862: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.283882: Armor ccache sesion key: aes256-cts/2559 [47695] 1530630765.283914: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2FB3, session key aes256-cts/2559 [47695] 1530630765.284000: FAST armor key: aes256-cts/552F [47695] 1530630765.284013: Setting initial creds service to kadmin/changepw [47695] 1530630765.284018: FAST armor ccache: FILE:/tmp/krb5cc_testuser [47695] 1530630765.284043: Retrieving admin@MYREALM -> krb5_ccache_conf_data/fast_avail/krbtgt/MYREALM@MYREALM@X-CACHECONF: from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.284046: Read config in FILE:/tmp/krb5cc_testuser for krbtgt/MYREALM@MYREALM: fast_avail: yes [47695] 1530630765.284048: Using FAST due to armor ccache negotiation result [47695] 1530630765.284055: Getting credentials admin@MYREALM -> krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser [47695] 1530630765.284076: Retrieving admin@MYREALM -> krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result: 0/Success [47695] 1530630765.284082: Armor ccache sesion key: aes256-cts/2559 [47695] 1530630765.284094: Creating authenticator for admin@MYREALM -> krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7296, session key aes256-cts/2559 [47695] 1530630765.284126: FAST armor key: aes256-cts/1070 [47695] 1530630765.284139: Encoding request body and padata into FAST request [47695] 1530630765.284176: Sending request (1019 bytes) to MYREALM [47695] 1530630765.284263: Resolving hostname ipamasterhostname [47695] 1530630765.284544: Initiating TCP connection to stream ipamasterIP:88
How is this client finding a KDC? Is it using resolving via DNS SRV records? Or is it forcibly configured to only talk to a single master?
If you have multiple masters and you are talking to a different master after a password change done on some master, chances are that the other master doesn't yet have the change propagated.
freeipa-users@lists.fedorahosted.org