[Freeipa-users] Kerberos and 2fa with mac OS X client

Sumit Bose sbose at redhat.com
Fri Dec 16 07:39:55 UTC 2016 

On Thu, Dec 15, 2016 at 06:50:53PM +0000, Mark Steele wrote:
> Still no luck.
> 
> 
> klist
> Credentials cache: API:4FE16A36-A5AB-476F-8B49-4B427E816279
>         Principal: admin at INT.DOMAIN.COM
> 
>   Issued                Expires               Principal
> Dec 15 13:45:09 2016  Dec 16 13:45:07 2016  krbtgt/INT.DOMAIN.COM at INT.DOMAIN.COM
> 
> 
> KRB5_TRACE=/dev/stdout kinit --fast-armor-cache=API:4FE16A36-A5AB-476F-8B49-4B427E816279 mark.steele at INT.DOMAIN.COM
> 2016-12-15T13:35:35 set-error: -1765328242: Reached end of credential caches
> 2016-12-15T13:35:35 set-error: -1765328243: Principal mark.steele at INT.DOMAIN.COM not found in any credential cache
> mark.steele at INT.DOMAIN.COM's password: 
> 2016-12-15T13:35:50 set-error: -1765328234: Encryption type des-cbc-md5-deprecated not supported
> 2016-12-15T13:35:50 Adding PA mech: SRP
> 2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_CHALLENGE
> 2016-12-15T13:35:50 Adding PA mech: ENCRYPTED_TIMESTAMP
> 2016-12-15T13:35:50 krb5_get_init_creds: loop 1
> 2016-12-15T13:35:50 KDC sent 0 patypes
> 2016-12-15T13:35:50 Trying to find service kdc for realm INT.DOMAIN.COM flags 0
> 2016-12-15T13:35:50 configuration file for realm INT.DOMAIN.COM found
> 2016-12-15T13:35:50 submissing new requests to new host
> 2016-12-15T13:35:50 connecting to host: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
> 2016-12-15T13:35:50 writing packet: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
> 2016-12-15T13:35:51 Configuration exists for realm INT.DOMAIN.COM, wont go to DNS
> 2016-12-15T13:35:51 out of hosts, waiting for replies
> 2016-12-15T13:36:01 retrying sending to: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
> 2016-12-15T13:36:01 writing packet: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
> 2016-12-15T13:36:12 retrying sending to: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
> 2016-12-15T13:36:12 writing packet: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001
> 2016-12-15T13:36:23 host timed out: udp 10.44.4.50:kerberos (ds01.int.domain.com) tid: 00000001

Your client does not fall back to TCP. It is at least recommended to use
TCP with OTP (see https://fedorahosted.org/freeipa/ticket/4725). Iirc
with heimdal you can use

   kdc = tcp/ds01.int.domain.com:88

to force the client using TCP.

HTH

bye,
Sumit
  
> 2016-12-15T13:36:23 no more hosts to send/recv packets to/from trying to pulling more hosts
> 2016-12-15T13:36:23 set-error: -1765328228: unable to reach any KDC in realm INT.DOMAIN.COM, tried 1 KDC
> 2016-12-15T13:36:23 krb5_sendto_context INT.DOMAIN.COM done: -1765328228 hosts 1 packets 3 wc: 33.115489 nr: 0.000804 kh: 0.000915 tid: 00000001
> kinit: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.COM, tried 1 KDC
> 
> 
> mac client config (OS 10.11.1):
> 
> cat /etc/krb5.conf 
> [libdefaults]
>     default_realm = INT.DOMAIN.COM
>     dns_lookup_realm = true
>     dns_lookup_kdc = true
>     ticket_lifetime = 24h
>     forwardable = yes
>     renewable = true
> 
> 
> [realms]
>  INT.DOMAIN.COM = {
>   kdc = ds01.int.domain.com:88
>   master_kdc = ds01.int.domain.com:88
>   admin_server = ds01.int.domain.com:749
>   default_domain = int.domain.com
>   pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
> 
> [domain_realm]
>  .int.domain.com = INT.DOMAIN.COM
>  int.domain.com = INT.DOMAIN.COM
> 
> On the freeipa server’s krb5kdc.log:
> 
> krb5kdc: Realm not local to KDC - while dispatching (udp)
> 
> When authenticating with a non 2FA user, works fine.
> 
> Anyone can hit me with a clue-stick?
> 
> Cheers,
> 
> Mark
> 
> 
> 
> On 2016-12-15, 11:20 AM, "freeipa-users-bounces at redhat.com on behalf of Alexander Bokovoy" <freeipa-users-bounces at redhat.com on behalf of abokovoy at redhat.com> wrote:
> 
>     On to, 15 joulu 2016, Sumit Bose wrote:
>     >On Thu, Dec 15, 2016 at 03:38:14PM +0000, Mark Steele wrote:
>     >> Hi,
>     >>
>     >> Has anyone managed to make this work and if so, is there some documentation for doing so?
>     >>
>     >> I can successfully authenticate to my linux servers using 2FA, but am
>     >> unable to get my Mac to be able to get a ticket with kinit.
>     >>
>     >> Kinit returns: “password incorrect”, and isn’t prompting for the
>     >> second factor. I’ve also tried appending the second factor to the
>     >> password (like when logging into the UI).
>     >>
>     >> Any help would be appreciated.
>     >
>     >For 2FA FAST is needed http://www.freeipa.org/page/V4/OTP#kinit_Method.
>     >For MacOS I found
>     >https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/kinit.1.html
>     >and according to this the MacOS kinit does not support FAST, i.e. using
>     >an armor credential cache. But maybe there are newer or alternative
>     >versions which supports it?
>     Starting with Mac OS X 10.8, Heimdal does support FAST.
>     
>     kinit --fast-armor-cache /path/to/ccache
>     
>     In Mac OS X numbering scheme for Heimdal this is version 247.6 or later.
>     
>     -- 
>     / Alexander Bokovoy
>     
>     -- 
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list