On ke, 04 heinä 2018, lune voo wrote:
Hello Alexander.
Thanks for the answer.
Otp stands for one time password.
In fact in order to set a password for a user, I do first a ipa passwd
using ipa python library.
So, your code is equivalent to
kinit admin
ipa passwd test-user
kpasswd test-user
?
I.e. there is no 2FA involved and what you call 'otp' is only reflecting
the fact that any non-user-initiated password change forces that user to
change their password, so 'ipa passwd test-user' as admin means
'test-user' password has to be changed and becomes effectively a one
time password set by admin.
Is that a correct assessment?
The otp is good normally.
Can you demonstrate things not working
in a console, interactively?
And the kpasswd password should be good also except if ipa kdc dont
like
some special characters ?
There is no limits on what Kerberos KDC considers a
'password' as that
could be a bunch of random bytes.
Lune.
Le mar. 3 juil. 2018 à 17:49, Alexander Bokovoy <abokovoy(a)redhat.com> a
écrit :
> On ti, 03 heinä 2018, lune voo via FreeIPA-users wrote:
> >Hello !
> >
> >I contact you because I encounter a problem when I use kpasswd using
> python
> >popen function.
> >I use freeipa 3.0 and python 2.6.6.
> >
> >Here is what I do in python :
> >
> >input_process = otp + '\n' + password + '\n' + password
> Here you provide otp (what is this? A 2FA token value?), password and
> password.
>
> >cmd = 'kpasswd %s' % user_login
> >cmd_and_args = shlex.split(cmd)
> >p = Popen(cmd_and_args, stdout=PIPE, stdin=PIPE, stderr=STDOUT)
> >(output, error) = p.communicate(input=input_process)
> >
> >
> >Before doing that, I performed the following command in order to have more
> >logs :
> >export KRB5_TRACE=/dev/stdout
> >
> >And here is what I see in the logs :
> >###
> >[47700] 1530630765.610794: Getting initial credentials for
> test_user@MYREALM
> >[47700] 1530630765.610945: FAST armor ccache: FILE:/tmp/krb5cc_testuser
> >[47700] 1530630765.610998: Retrieving admin@MYREALM ->
> >krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF:
> from
> >FILE:/tmp/krb5cc_testuser with result: 0/Success
> >[47700] 1530630765.611003: Read config in FILE:/tmp/krb5cc_testuser for
> >krbtgt/MYREALM@MYREALM: fast_avail: yes
> >[47700] 1530630765.611006: Using FAST due to armor ccache negotiation
> result
> >[47700] 1530630765.611016: Getting credentials admin@MYREALM ->
> >krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
> >[47700] 1530630765.611044: Retrieving admin@MYREALM ->
> >krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
> 0/Success
> >[47700] 1530630765.611061: Armor ccache sesion key: aes256-cts/2559
> >[47700] 1530630765.611089: Creating authenticator for admin@MYREALM ->
> >krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/7F39, session key
> >aes256-cts/2559
> >[47700] 1530630765.611168: FAST armor key: aes256-cts/79AB
> >[47700] 1530630765.611179: Setting initial creds service to
> kadmin/changepw
> >[47700] 1530630765.611184: FAST armor ccache: FILE:/tmp/krb5cc_testuser
> >[47700] 1530630765.611208: Retrieving admin@MYREALM ->
> >krb5_ccache_conf_data/fast_avail/krbtgt\/MYREALM\@MYREALM@X-CACHECONF:
> from
> >FILE:/tmp/krb5cc_testuser with result: 0/Success
> >[47700] 1530630765.611212: Read config in FILE:/tmp/krb5cc_testuser for
> >krbtgt/MYREALM@MYREALM: fast_avail: yes
> >[47700] 1530630765.611213: Using FAST due to armor ccache negotiation
> result
> >[47700] 1530630765.611219: Getting credentials admin@MYREALM ->
> >krbtgt/MYREALM@MYREALM using ccache FILE:/tmp/krb5cc_testuser
> >[47700] 1530630765.611240: Retrieving admin@MYREALM ->
> >krbtgt/MYREALM@MYREALM from FILE:/tmp/krb5cc_testuser with result:
> 0/Success
> >[47700] 1530630765.611245: Armor ccache sesion key: aes256-cts/2559
> >[47700] 1530630765.611256: Creating authenticator for admin@MYREALM ->
> >krbtgt/MYREALM@MYREALM, seqnum 0, subkey aes256-cts/2BFD, session key
> >aes256-cts/2559
> >[47700] 1530630765.611288: FAST armor key: aes256-cts/62C4
> >[47700] 1530630765.611299: Encoding request body and padata into FAST
> >request
> >[47700] 1530630765.611333: Sending request (1019 bytes) to MYREALM
> >[47700] 1530630765.611418: Resolving hostname ipamasterhostname
> >[47700] 1530630765.611608: Initiating TCP connection to stream
> >ipamasterIP:88
> >[47700] 1530630765.611769: Sending TCP request to stream ipamasterIP:88
> >[47700] 1530630765.675154: Received answer from stream ipamasterIP:88
> >[47700] 1530630765.675208: Response was from master KDC
> >[47700] 1530630765.675238: Received error from KDC: -1765328359/Additional
> >pre-authentication required
> >[47700] 1530630765.675249: Decoding FAST response
> >[47700] 1530630765.675311: Processing preauth types: 136, 19, 138, 133,
> 137
> >[47700] 1530630765.675319: Received cookie: MIT
> >Password for test_user@MYREALM:
> Here you are asked for a password.
>
> >[47700] 1530630765.682884: Preauth module
> >encrypted_challenge (138) (flags=1) returned: 0/Success
> >[47700] 1530630765.682889: Produced preauth for next request: 133, 138
> >[47700] 1530630765.682891: Encoding request body and padata into FAST
> >request
> >[47700] 1530630765.682951: Sending request (1118 bytes) to MYREALM
> >[47700] 1530630765.682967: Resolving hostname ipamasterhostname
> >[47700] 1530630765.683098: Initiating TCP connection to stream
> >ipamasterIP:88
> >[47700] 1530630765.683180: Sending TCP request to stream ipamasterIP:88
> >[47700] 1530630765.756232: Received answer from stream ipamasterIP:88
> >[47700] 1530630765.756302: Response was from master KDC
> >[47700] 1530630765.756321: Received error from KDC:
> >-1765328360/Preauthentication failed
> >[47700] 1530630765.756325: Decoding FAST response
> >[47700] 1530630765.756376: Preauth tryagain input types: 136, 19, 138,
> 133,
> >137
> >kpasswd: Preauthentication failed getting initial ticket
> And your password (what kpasswd uses as a password) is incorrect (to
> what KDC considers you have as a password).
>
> >
> >)
> >###
> >
> >I don't understand yet why the commande kpasswd is failing ?
> >
> >My ticket admin is good.
> >My ticket cache is used only by me.
> >
> >May you help me to understand what is going on please ?
> Try first to get this working interactively.
>
> >Is there a way to use ipa python library to perform a kpasswd instead of
> >popen of kpasswd command ?
> >
> >Best regards.
> >
> >Lune
>
> >_______________________________________________
> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> >Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
>
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland