On Thu, Dec 15, 2016 at 06:50:53PM +0000, Mark Steele wrote: > Still no luck. > > > klist > Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279 > Principal: [email protected] > > Issued Expires Principal > Dec 15 13:45:09 2016 Dec 16 13:45:07 2016 > krbtgt/[email protected] > > > KRB5_TRACE=/dev/stdout kinit > --fast-armor-cache=API:4FE16A36-A5AB-476F-8B49-4B427E816279 > [email protected] > 2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches > 2016-12-15T13:35:35 set-error: -1765328243: Principal > [email protected] not found in any credential cache > [email protected]'s password: > 2016-12-15T13:35:50 set-error: -1765328234: Encryption type > des-cbc-md5-deprecated not supported > 2016-12-15T13:35:50 Adding PA mech: SRP > 2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE > 2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP > 2016-12-15T13:35:50 krb5_get_init_creds: loop 1 > 2016-12-15T13:35:50 KDC sent 0 patypes > 2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags > 0 > 2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found > 2016-12-15T13:35:50 submissing new requests to new host > 2016-12-15T13:35:50 connecting to host: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001 > 2016-12-15T13:35:50 writing packet: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001 > 2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to > DNS > 2016-12-15T13:35:51 out of hosts, waiting for replies > 2016-12-15T13:36:01 retrying sending to: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001 > 2016-12-15T13:36:01 writing packet: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001 > 2016-12-15T13:36:12 retrying sending to: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001 > 2016-12-15T13:36:12 writing packet: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001 > 2016-12-15T13:36:23 host timed out: udp 10.44.4.50:kerberos > (ds01.int.domain.com) tid: 00000001
Your client does not fall back to TCP. It is at least recommended to use TCP with OTP (see https://fedorahosted.org/freeipa/ticket/4725). Iirc with heimdal you can use kdc = tcp/ds01.int.domain.com:88 to force the client using TCP. HTH bye, Sumit > 2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to > pulling more hosts > 2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm > INT.DOMAIN.COM, tried 1 KDC > 2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 > hosts 1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 00000001 > kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, > tried 1 KDC > > > mac client config (OS 10.11.1): > > cat /etc/krb5.conf > [libdefaults] > default_realm = INT.DOMAIN.COM > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > forwardable = yes > renewable = true > > > [realms] > INT.DOMAIN.COM = { > kdc = ds01.int.domain.com:88 > master_kdc = ds01.int.domain.com:88 > admin_server = ds01.int.domain.com:749 > default_domain = int.domain.com > pkinit_anchors = FILE:/etc/ipa/ca.crt > } > > [domain_realm] > .int.domain.com = INT.DOMAIN.COM > int.domain.com = INT.DOMAIN.COM > > On the freeipa server’s krb5kdc.log: > > krb5kdc: Realm not local to KDC - while dispatching (udp) > > When authenticating with a non 2FA user, works fine. > > Anyone can hit me with a clue-stick? > > Cheers, > > Mark > > > > On 2016-12-15, 11:20 AM, "[email protected] on behalf of > Alexander Bokovoy" <[email protected] on behalf of > [email protected]> wrote: > > On to, 15 joulu 2016, Sumit Bose wrote: > >On Thu, Dec 15, 2016 at 03:38:14PM +0000, Mark Steele wrote: > >> Hi, > >> > >> Has anyone managed to make this work and if so, is there some > documentation for doing so? > >> > >> I can successfully authenticate to my linux servers using 2FA, but am > >> unable to get my Mac to be able to get a ticket with kinit. > >> > >> Kinit returns: “password incorrect”, and isn’t prompting for the > >> second factor. I’ve also tried appending the second factor to the > >> password (like when logging into the UI). > >> > >> Any help would be appreciated. > > > >For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method. > >For MacOS I found > > >https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html > >and according to this the MacOS kinit does not support FAST, i.e. using > >an armor credential cache. But maybe there are newer or alternative > >versions which supports it? > Starting with Mac OS X 10.8, Heimdal does support FAST. > > kinit --fast-armor-cache /path/to/ccache > > In Mac OS X numbering scheme for Heimdal this is version 247.6 or later. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
