Ubuntu
freeipa package

krb5-otp package not being installed when ipa-server-install

Bug #1640732 reported by Diogenes
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeipa (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

While using Freeipa server with an external RADIUS server (which is in turn is connected to an OTP authenticator), freeipa-server fails to load the required krb5-otp module.
That's because the module is simply not there and every request send by an user using FAST/OTP will fail. This is the message on /var/log/auth:

NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre-authentication required

The user gets (note that he is not prompted for OTP, the request simply dies):
root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
[2872] 1478769982.447733: Resolving unique ccache of type KEYRING
[2872] 1478769982.449824: Getting initial credentials for johndoe@REALM
[2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0
[2872] 1478769982.454171: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success
[2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes
[2872] 1478769982.454396: Using FAST due to armor ccache negotiation result
[2872] 1478769982.454484: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
[2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success
[2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3
[2872] 1478769982.454836: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key aes256-cts/03D3
[2872] 1478769982.455045: FAST armor key: aes256-cts/21EB
[2872] 1478769982.455147: Encoding request body and padata into FAST request
[2872] 1478769982.455272: Sending request (947 bytes) to REALM
[2872] 1478769982.455437: Resolving hostname freeipa.realm.com
[2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88
[2872] 1478769982.464118: Received answer (488 bytes) from stream 10.80.40.243:88
[2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.464147: Response was from master KDC
[2872] 1478769982.464161: Received error from KDC: -1765328359/Additional pre-authentication required
[2872] 1478769982.464166: Decoding FAST response
[2872] 1478769982.464438: Processing preauth types: 136, 133, 137
[2872] 1478769982.464446: Received cookie: MIT
kinit: Generic preauthentication failure while getting initial credentials

Solution:

$ sudo apt-get install krb5-otp
$ sudo service krb5-kdc restart
$ sudo service krb5-admin-server restart

After that everything works as expected:

root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
[2924] 1478770020.592804: Resolving unique ccache of type KEYRING
[2924] 1478770020.592994: Getting initial credentials for johndoe@REALM
[2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0
[2924] 1478770020.597091: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success
[2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes
[2924] 1478770020.597822: Using FAST due to armor ccache negotiation result
[2924] 1478770020.597884: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
[2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success
[2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3
[2924] 1478770020.598199: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key aes256-cts/03D3
[2924] 1478770020.598381: FAST armor key: aes256-cts/8677
[2924] 1478770020.598471: Encoding request body and padata into FAST request
[2924] 1478770020.598585: Sending request (947 bytes) to REALM
[2924] 1478770020.598669: Resolving hostname freeipa.realm.com
[2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.599366: Sending TCP request to stream 10.80.40.243:88
[2924] 1478770020.603569: Received answer (554 bytes) from stream 10.80.40.243:88
[2924] 1478770020.603651: Terminating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.603733: Response was from master KDC
[2924] 1478770020.603809: Received error from KDC: -1765328359/Additional pre-authentication required
[2924] 1478770020.603862: Decoding FAST response
[2924] 1478770020.603960: Processing preauth types: 136, 141, 133, 137
[2924] 1478770020.604017: Received cookie: MIT
Enter OTP Token Value:

Timo Aaltonen (tjaalton)
Changed in freeipa (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package freeipa - 4.4.3-3ubuntu1

---------------
freeipa (4.4.3-3ubuntu1) zesty; urgency=medium

  * fix-is-running.diff: Add a third argument to is_running() in
    ipaplatform/debian/services.py.

 -- Timo Aaltonen <email address hidden> Fri, 17 Feb 2017 01:40:15 +0200

Changed in freeipa (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.