On Wed, Jun 22, 2016 at 11:54:10AM -0400, Geordie Grindle wrote: > > Hello, > > On our current IPA realm where we have not used 2-factor, we’ve been able to > kinit to our FreeIPA realm from our laptops. All a Mac user needed to do, > for example was to configure a ‘krb5.conf’ file and then ‘kinit > [email protected] <mailto:[email protected]>'. This would allow > us to work on our infrastructure without having to re-authenticate for the > lifetime of our ticket-granting-ticket, usually the length of a work day. > > We are building a new realm using 'ipa-server-4.2.0-15’ and will be requiring > 2-factor for authentication. So far it works well, meaning we can ssh to a > jump host enrolled in our realm and from there move to other hosts in the > realm without having to re-authenticate. > > However, we can no longer ‘kinit’. I’ve dug around in the webs and have > concluded that either this is a known issue that is not yet fixed, or perhaps > someone has fixed it but not yet shared how they got this to work.
This is expected behaviour. See http://www.freeipa.org/page/V4/OTP for details especially http://www.freeipa.org/page/V4/OTP#kinit_Method. Unfortunately in general you do not have a second ccache which can be used to get the needed armor ticket for FAST. There is ongoing work on SPAKE http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs and also anonymous pkinit on the IPA side to lift the requirement but currently FAST and a second ccache are needed for OTP. HTH bye, Sumit > > How is this impacting anyone else? Does anyone have any helpful information > they can share? > > thanks, > Geordie Grindle > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
