← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #00426

[Bug 1640732] Re: krb5-otp package not being installed when ipa-server-install

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package freeipa - 4.4.3-3ubuntu1

---------------
freeipa (4.4.3-3ubuntu1) zesty; urgency=medium

  * fix-is-running.diff: Add a third argument to is_running() in
    ipaplatform/debian/services.py.

 -- Timo Aaltonen <tjaalton@xxxxxxxxxx>  Fri, 17 Feb 2017 01:40:15 +0200

** Changed in: freeipa (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1640732

Title:
  krb5-otp package not being installed when ipa-server-install

Status in freeipa package in Ubuntu:
  Fix Released

Bug description:
  While using Freeipa server with an external RADIUS server (which is in turn is connected to an OTP authenticator), freeipa-server fails to load the required krb5-otp module.
  That's because the module is simply not there and every request send by an user using FAST/OTP will fail. This is the message on /var/log/auth:

  NEEDED_PREAUTH: johndoe@REALM for krbtgt/REALM, Additional pre-
  authentication required

  The user gets (note that he is not prompted for OTP, the request simply dies):
  root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
  [2872] 1478769982.447733: Resolving unique ccache of type KEYRING
  [2872] 1478769982.449824: Getting initial credentials for johndoe@REALM
  [2872] 1478769982.453943: FAST armor ccache: KEYRING:persistent:0:0
  [2872] 1478769982.454171: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success
  [2872] 1478769982.454284: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes
  [2872] 1478769982.454396: Using FAST due to armor ccache negotiation result
  [2872] 1478769982.454484: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
  [2872] 1478769982.454637: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success
  [2872] 1478769982.454733: Armor ccache sesion key: aes256-cts/03D3
  [2872] 1478769982.454836: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/8CB1, session key aes256-cts/03D3
  [2872] 1478769982.455045: FAST armor key: aes256-cts/21EB
  [2872] 1478769982.455147: Encoding request body and padata into FAST request
  [2872] 1478769982.455272: Sending request (947 bytes) to REALM
  [2872] 1478769982.455437: Resolving hostname freeipa.realm.com
  [2872] 1478769982.455900: Initiating TCP connection to stream 10.80.40.243:88
  [2872] 1478769982.456147: Sending TCP request to stream 10.80.40.243:88
  [2872] 1478769982.464118: Received answer (488 bytes) from stream 10.80.40.243:88
  [2872] 1478769982.464126: Terminating TCP connection to stream 10.80.40.243:88
  [2872] 1478769982.464147: Response was from master KDC
  [2872] 1478769982.464161: Received error from KDC: -1765328359/Additional pre-authentication required
  [2872] 1478769982.464166: Decoding FAST response
  [2872] 1478769982.464438: Processing preauth types: 136, 133, 137
  [2872] 1478769982.464446: Received cookie: MIT
  kinit: Generic preauthentication failure while getting initial credentials

  
  Solution:

  $ sudo apt-get install krb5-otp
  $ sudo service krb5-kdc restart 
  $ sudo service krb5-admin-server restart 

  
  After that everything works as expected:

  root@freeipa:~# KRB5_TRACE=/dev/stdout kinit -T KEYRING:persistent:0:0 johndoe
  [2924] 1478770020.592804: Resolving unique ccache of type KEYRING
  [2924] 1478770020.592994: Getting initial credentials for johndoe@REALM
  [2924] 1478770020.596893: FAST armor ccache: KEYRING:persistent:0:0
  [2924] 1478770020.597091: Retrieving admin@REALM -> krb5_ccache_conf_data/fast_avail/krbtgt\/REALM\@REALM@X-CACHECONF: from KEYRING:persistent:0:0 with result: 0/Success
  [2924] 1478770020.597744: Read config in KEYRING:persistent:0:0 for krbtgt/REALM@REALM: fast_avail: yes
  [2924] 1478770020.597822: Using FAST due to armor ccache negotiation result
  [2924] 1478770020.597884: Getting credentials admin@REALM -> krbtgt/REALM@REALM using ccache KEYRING:persistent:0:0
  [2924] 1478770020.598012: Retrieving admin@REALM -> krbtgt/REALM@REALM from KEYRING:persistent:0:0 with result: 0/Success
  [2924] 1478770020.598102: Armor ccache sesion key: aes256-cts/03D3
  [2924] 1478770020.598199: Creating authenticator for admin@REALM -> krbtgt/REALM@REALM, seqnum 0, subkey aes256-cts/E28F, session key aes256-cts/03D3
  [2924] 1478770020.598381: FAST armor key: aes256-cts/8677
  [2924] 1478770020.598471: Encoding request body and padata into FAST request
  [2924] 1478770020.598585: Sending request (947 bytes) to REALM
  [2924] 1478770020.598669: Resolving hostname freeipa.realm.com
  [2924] 1478770020.599039: Initiating TCP connection to stream 10.80.40.243:88
  [2924] 1478770020.599366: Sending TCP request to stream 10.80.40.243:88
  [2924] 1478770020.603569: Received answer (554 bytes) from stream 10.80.40.243:88
  [2924] 1478770020.603651: Terminating TCP connection to stream 10.80.40.243:88
  [2924] 1478770020.603733: Response was from master KDC
  [2924] 1478770020.603809: Received error from KDC: -1765328359/Additional pre-authentication required
  [2924] 1478770020.603862: Decoding FAST response
  [2924] 1478770020.603960: Processing preauth types: 136, 141, 133, 137
  [2924] 1478770020.604017: Received cookie: MIT
  Enter OTP Token Value:

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1640732/+subscriptions

References

  Thread PreviousDate PreviousThread Next