On Срд, 11 сне 2024, Fiodor Cibulin via FreeIPA-users wrote:
Hi all. I would like your help to fix next issue
What we need. We configured freeradius server to use it as
authentication method for freeipa users. When we use option password
(I mean password configured in ipa server itself) everything works. If
we change authentication method to RADIUS we have next problems. User
password on ipa client not cached. So if users go home with laptop and
have no access to ipa server they can't log in to their ubuntu.
Behavior on ipa server:
User with local password
# kinit local-user
Password for local-u...@our.domain.com:
It works
krb5kdc.log
ec 11 17:57:23 our.domain.com krb5kdc[1571](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.41.100.15:
NEEDED_PREAUTH: local-u...@our.domain.com for
krbtgt/our.domain....@our.domain.com, Additional pre-authentication required
Dec 11 17:57:23 our.domain.com krb5kdc[1571](info): closing down fd 11
Rows below after enter password
Dec 11 17:58:17 our.domain.com krb5kdc[1571](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.41.100.15: ISSUE:
authtime 1733932697, etypes {rep=aes256-cts-hmac-sha384-192(20),
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)},
local-u...@our.domain.com for krbtgt/our.domain....@our.domain.com
Dec 11 17:58:17 our.domain.com krb5kdc[1571](info): closing down fd 11
RADIUS user
# kinit radius-user
kinit: Pre-authentication failed: Invalid argument while getting initial
credentials
This is correct and expected. Have you tried to read the documentation?
'otp' and 'radius' preauthentication methods in MIT Kerberos require use
of FAST channel to encrypt communication between the client and the KDC.
This means you need to use some pre-existing Kerberos credentials to
secure this communication. Typically, we use machine account credentials
or an anonymous PKINIT credential. Machine account creds aren't
accessible for an unprivileged user while Anonymous PKINIT creds are
possible to obtain as uninprivileged user.
The following section in RHEL IdM documentation explains it all in
detail:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/accessing_identity_management_services/logging-in-to-the-ipa-web-ui-using-one-time-passwords_accessing-idm-services#retrieving-an-idm-ticket-granting-ticket-as-an-otp-or-radius-user_logging-in-to-ipa-in-the-web-ui-using-a-password
So ticket not created
krb5kdc.log
Dec 11 18:04:26 our.domain.com krb5kdc[1571](info): AS_REQ (4 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.41.100.15:
NEEDED_PREAUTH: radius-u...@our.domain.com for
krbtgt/our.domain....@our.domain.com, Additional pre-authentication required
Dec 11 18:04:26 our.domain.com krb5kdc[1571](info): closing down fd 11
Additional strange behaviour. If i try to log in to ipa server via ssh
with local user it asks me password. If I try to log in to ipa server
with radius user it asks me first factor and second factor. it accepts
password for the first factor and empty 2nd factor. And let's me
log-in.
If your user has both authentication types 'password' and 'radius' or
'otp' set, then both a password-only and a password+value are accepted.
'radius' method simply passes over the whole string to RADIUS server for
performing an authentication, IPA does not handle that.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
