krb5-otp package not being installed when ipa-server-install
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
freeipa (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
While using Freeipa server with an external RADIUS server (which is in turn is connected to an OTP authenticator), freeipa-server fails to load the required krb5-otp module.
That's because the module is simply not there and every request send by an user using FAST/OTP will fail. This is the message on /var/log/auth:
NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre-authentication required
The user gets (note that he is not prompted for OTP, the request simply dies):
root@freeipa:~# KRB5_TRACE=
[2872] 1478769982.447733: Resolving unique ccache of type KEYRING
[2872] 1478769982.449824: Getting initial credentials for johndoe@REALM
[2872] 1478769982.453943: FAST armor ccache: KEYRING:
[2872] 1478769982.454171: Retrieving admin@REALM -> krb5_ccache_
[2872] 1478769982.454284: Read config in KEYRING:
[2872] 1478769982.454396: Using FAST due to armor ccache negotiation result
[2872] 1478769982.454484: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:
[2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:
[2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3
[2872] 1478769982.454836: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key aes256-cts/03D3
[2872] 1478769982.455045: FAST armor key: aes256-cts/21EB
[2872] 1478769982.455147: Encoding request body and padata into FAST request
[2872] 1478769982.455272: Sending request (947 bytes) to REALM
[2872] 1478769982.455437: Resolving hostname freeipa.realm.com
[2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88
[2872] 1478769982.464118: Received answer (488 bytes) from stream 10.80.40.243:88
[2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88
[2872] 1478769982.464147: Response was from master KDC
[2872] 1478769982.464161: Received error from KDC: -1765328359/
[2872] 1478769982.464166: Decoding FAST response
[2872] 1478769982.464438: Processing preauth types: 136, 133, 137
[2872] 1478769982.464446: Received cookie: MIT
kinit: Generic preauthentication failure while getting initial credentials
Solution:
$ sudo apt-get install krb5-otp
$ sudo service krb5-kdc restart
$ sudo service krb5-admin-server restart
After that everything works as expected:
root@freeipa:~# KRB5_TRACE=
[2924] 1478770020.592804: Resolving unique ccache of type KEYRING
[2924] 1478770020.592994: Getting initial credentials for johndoe@REALM
[2924] 1478770020.596893: FAST armor ccache: KEYRING:
[2924] 1478770020.597091: Retrieving admin@REALM -> krb5_ccache_
[2924] 1478770020.597744: Read config in KEYRING:
[2924] 1478770020.597822: Using FAST due to armor ccache negotiation result
[2924] 1478770020.597884: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:
[2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:
[2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3
[2924] 1478770020.598199: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key aes256-cts/03D3
[2924] 1478770020.598381: FAST armor key: aes256-cts/8677
[2924] 1478770020.598471: Encoding request body and padata into FAST request
[2924] 1478770020.598585: Sending request (947 bytes) to REALM
[2924] 1478770020.598669: Resolving hostname freeipa.realm.com
[2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.599366: Sending TCP request to stream 10.80.40.243:88
[2924] 1478770020.603569: Received answer (554 bytes) from stream 10.80.40.243:88
[2924] 1478770020.603651: Terminating TCP connection to stream 10.80.40.243:88
[2924] 1478770020.603733: Response was from master KDC
[2924] 1478770020.603809: Received error from KDC: -1765328359/
[2924] 1478770020.603862: Decoding FAST response
[2924] 1478770020.603960: Processing preauth types: 136, 141, 133, 137
[2924] 1478770020.604017: Received cookie: MIT
Enter OTP Token Value:
Changed in freeipa (Ubuntu): | |
status: | New → Fix Committed |
This bug was fixed in the package freeipa - 4.4.3-3ubuntu1
---------------
freeipa (4.4.3-3ubuntu1) zesty; urgency=medium
* fix-is- running. diff: Add a third argument to is_running() in /debian/ services. py.
ipaplatform
-- Timo Aaltonen <email address hidden> Fri, 17 Feb 2017 01:40:15 +0200