Robert Kudyba via FreeIPA-users wrote:
On Wed, Mar 17, 2021 at 9:27 AM Rob Crittenden
<rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Robert Kudyba via FreeIPA-users wrote:
>
>
> On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> > It depends on what the expectations are for these user-owned
> machines.
> >
> >
> > Only expectation is to be able to log in to a server, get
access to
> > their home directory and be able to do their assignments,
e.g., C++,
> > Java or Python programming.
> >
> >
> > If you don't need IPA identities and IPA users won't log
into
> them, then
> > they only need a working krb5.conf and DNS configured on
them.
> >
> >
> > So each device needs to drop in the krb5.conf file from the
FreeIPA
> > server? How does this work on a Windows client?
>
> From the server? I wouldn't. It is likely going to need some
hand-tuning
> depending on your configuration. For example the server is
going to have
> a hardcoded KDC in it. You may or may not want that.
>
>
> So we have to customized the /etc/krb5.conf file that exists on the
> server for any student devices.
I mean, you don't want to use ipa-client-install which would do all of
this for you, and I understand the reasons, but it does mean some
additional work on your part.
I don't know your network so at most I can make general suggestions, not
provide you a full configuration.
Since it's a test server DNS is not fully configured on the server to
resolve properly, so I now set the krb5.conf file to ignore DNS (see below)
In retrospect the default krb5.conf that ships on Fedora provides for
includes. I think this is probably your best bet: provide an IPA
configuration that resides there and it should co-exist pretty easily
with any other configuration.
I'm not completely sure about the order of loading and which
configuration "wins" when there is conflict. The man page is the place
to look.
And kcm_default_ccache has instructions on how to enable/run sssd-kcm so
that this should work out-of-the-box. That is probably better than
having students comment it out, unless you can control the order of what
"wins" when there is conflicting configuration.
Thanks I'll also look into this.
> > So your students would log into their own controlled machine
> using their
> > own local account, kinit student123(a)univ.edu
<mailto:student123@univ.edu>
> <mailto:student123@univ.edu <mailto:student123@univ.edu>>
> > <mailto:student123@univ.edu <mailto:student123@univ.edu>
<mailto:student123@univ.edu <mailto:student123@univ.edu>>> and
> ssh using their
> > credentials.
> >
> > The krb5.conf will tell the student machine how to
contact the
> KDC.
> > That's all that is necessary (beyond working DNS).
> >
> >
> > I just tried this on another Fedora 33 workstation, dropped
in the
> > /etc/krb5.conf file and all I get is:
> > kinit: No KCM server found while getting default ccache
>
> You can comment the values out in
/etc/krb5.conf.d/kcm_default_ccache to
> change the default ccache type, or comment out the includes in
krb5.conf
> (probably easier).
>
>
> OK now I can get any Fedora client to kinit and then ssh.
See about for perhaps a less hacky approach than I originally suggested.
What "about" are you referring to?
Typo. Above.
> > I'm puzzled as to what we'd need to tell/provide to a
student, who is
> > enrolled remotely and can't come on campus, to be able to
connect
> to our
> > server via their Windows or Mac laptop.
>
> I don't know about Windows. I used the Windows MIT Kerberos
packages a
> decade or more ago and they worked fine with PuTTY (and IPA with
> discovery) but whether that applies now or not I have no idea.
>
> Mac I think should work similar to Linux: provide a krb5.conf
and things
> should just work. Again, you'll likely have to tweak the
configuration
> depending on what version of MIT Mac ships these days.
>
>
> kinit --version
>
> kinit (Heimdal 1.5.1apple1)
>
>
> So my first test with the server krb5.conf file copied into /etc:
>
> kinit: krb5_get_init_creds: unable to reach any KDC in realm
>
OURDOMAIN.EDU <
http://OURDOMAIN.EDU>
<
https://urldefense.proofpoint.com/v2/url?u=http-3A__OURDOMAIN.EDU&d=D...
>, tried 0 KDCs
>
>
> So the first suggestion
<
https://urldefense.proofpoint.com/v2/url?u=https-3A__apple.stackexchange....
> I
> found was to preface kdc = tcp
>
> Then I made sure the firewall on the Mac was disabled. I also
added the
> test IPA server & IP into /etc/hosts. I can ping it successfully.
>
> What else needs to change?
It's difficult to troubleshoot in a void. I don't know your network
configuration nor what krb5.conf you're using. It sure looks like
discovery of the KDC over DNS failed.
I configured the following in krb5.conf and now at least get prompted
for a password and kinit works!:
[libdefaults]
dns_lookup_kdc = no
dns_lookup_realm = no
klist
Ticket cache: API:krb5cc
Default principal: ouruser(a)OURDOMAIN.EDU <mailto:ouruser@OURDOMAIN.EDU>
Valid starting Expires Service principal
03/18/21 15:17:43 03/19/21 15:17:39 krbtgt/OURDOMAIN.EDU(a)OURDOMAIN.EDU
<mailto:OURDOMAIN.EDU@OURDOMAIN.EDU>
I don't know why mac/Windows isn't working. It doesn't look like it is
even trying GSSAPI.
rob
However ssh -k on both a Mac and Windows PC do NOT automatically log me
in and only the NIS password works. From ssh -vv all I see is:
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
And from the ssh logs:
Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0
Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid:
99/99 (e=0/0)
Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0
Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid:
99/99 (e=0/0)
Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0
Mar 18 15:52:48 ourserver sshd[634486]: Failed publickey for ouruser
from x.x.x.x port 51827 ssh2: ED25519
SHA256:BH1fuycgWofiOBV9lPK4XB2vYK3frN2FKv208PnmENI
Mar 18 15:52:48 ourserver sshd[634486]: debug1: userauth-request for
user ouruser service ssh-connection method keyboard-interactive [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: attempt 3 failures 2
[preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: keyboard-interactive
devs [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge:
user=ouruser devs= [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: kbdint_alloc: devices
'pam' [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge_start:
trying authentication method 'pam' [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: Postponed keyboard-interactive
for ouruser from x.x.x.x port 51827 ssh2 [preauth]
Mar 18 15:52:58 ourserver sshd[634508]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=x.x.x.x user=ouruser
Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=x.x.x.x user=ouruser
Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): received for
user ouruser: 9 (Authentication service cannot retrieve authentication info)
Mar 18 15:53:00 ourserver sshd[634486]: error: PAM: Authentication
failure for ouruser from x.x.x.x
Mar 18 15:53:00 ourserver sshd[634486]: Failed keyboard-interactive/pam
for ouruser from x.x.x.x port 51827 ssh2
Mar 18 15:53:00 ourserver sshd[634486]: debug1: userauth-request for
user ouruser service ssh-connection method keyboard-interactive [preauth]
So is there some other configuration that needs to be set to pass
on/through from kinit/ticket to ssh, on Windows and Mac? Perhaps
something in krb5.conf?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure