On Sun, Jan 08, 2017 at 05:02:59PM +0100, Felix Weissbeck wrote: > Hello, > > i have recently reconfigured my MIT-Kerberos setup to use PKINIT / OTP and > RADIUS for my admins. In my setup administrators have two accounts: one > "username@REALM" for regular user-stuff like mail... and "username/ > admin@REALM" for root-logins with ssh and other administrative purposes. > This all works just nicely and i am a huge fan. > Users can get their tickets with a password & yubikey and then log onto the > servers as root. > > But since i had to ''kadmin: purgekeys -all user/admin" in order to force > them to 2FA i can no longer use "kadmin -p user/admin" from a remote host. > > root@ldap:~# kadmin -p fe/admin > Authenticating as principal fe/admin with password. > kadmin: Invalid argument while initializing kadmin interface > > while my logfiles show: > Jan 8 15:38:13 kerberos2 krb5kdc[28363]: AS_REQ xxxxxxxxx: NEEDED_PREAUTH: > fe/ad...@w7k.de for kadmin/ad...@w7k.de, Additional pre-authentication > required > > I have not changed the kadm5.acl on the kdc/kadmin so they should still be > allowed to do this (*/admin * ) > > I guess the problem is, that the kadmin-tool does not understand how to > provide the preauth (just like kinit would without the otp module). > > So my question is: Did i miss anything? Is there any possibility to use > kadmin > remotely with otp/2FA? Or is this not possible at the moment and users have > to > use kadmin.local?
One thing to try would be separating getting tickets and authenticating to kadmin, aka kinit -c FILE:/tmp/krb5cc_admin -S kadmin/admin -r5m -l5m user/admin kadmin -c FILE:/tmp/krb5cc_admin -p user/admin That would make it more clear if it is just a failure in the kadmin client logic. -Ben ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
