Robert Kudyba via FreeIPA-users wrote:
>
>
> On Tue, Mar 16, 2021 at 3:40 PM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> > It depends on what the expectations are for these user-owned
> machines.
> >
> >
> > Only expectation is to be able to log in to a server, get access to
> > their home directory and be able to do their assignments, e.g., C++,
> > Java or Python programming.
> >
> >
> > If you don't need IPA identities and IPA users won't log into
> them, then
> > they only need a working krb5.conf and DNS configured on them.
> >
> >
> > So each device needs to drop in the krb5.conf file from the FreeIPA
> > server? How does this work on a Windows client?
>
> From the server? I wouldn't. It is likely going to need some hand-tuning
> depending on your configuration. For example the server is going to have
> a hardcoded KDC in it. You may or may not want that.
>
>
> So we have to customized the /etc/krb5.conf file that exists on the
> server for any student devices.
I mean, you don't want to use ipa-client-install which would do all of
this for you, and I understand the reasons, but it does mean some
additional work on your part.
I don't know your network so at most I can make general suggestions, not
provide you a full configuration.
Since it's a test server DNS is not fully configured on the server to resolve properly, so I now set the krb5.conf file to ignore DNS (see below)
In retrospect the default krb5.conf that ships on Fedora provides for
includes. I think this is probably your best bet: provide an IPA
configuration that resides there and it should co-exist pretty easily
with any other configuration.
I'm not completely sure about the order of loading and which
configuration "wins" when there is conflict. The man page is the place
to look.
And kcm_default_ccache has instructions on how to enable/run sssd-kcm so
that this should work out-of-the-box. That is probably better than
having students comment it out, unless you can control the order of what
"wins" when there is conflicting configuration.
Thanks I'll also look into this.
> > So your students would log into their own controlled machine
> using their
> > own local account, kinit student123@univ.edu
> <mailto:student123@univ.edu>
> > <mailto:student123@univ.edu <mailto:student123@univ.edu>> and
> ssh using their
> > credentials.
> >
> > The krb5.conf will tell the student machine how to contact the
> KDC.
> > That's all that is necessary (beyond working DNS).
> >
> >
> > I just tried this on another Fedora 33 workstation, dropped in the
> > /etc/krb5.conf file and all I get is:
> > kinit: No KCM server found while getting default ccache
>
> You can comment the values out in /etc/krb5.conf.d/kcm_default_ccache to
> change the default ccache type, or comment out the includes in krb5.conf
> (probably easier).
>
>
> OK now I can get any Fedora client to kinit and then ssh.
See about for perhaps a less hacky approach than I originally suggested.
What "about" are you referring to?
> > I'm puzzled as to what we'd need to tell/provide to a student, who is
> > enrolled remotely and can't come on campus, to be able to connect
> to our
> > server via their Windows or Mac laptop.
>
> I don't know about Windows. I used the Windows MIT Kerberos packages a
> decade or more ago and they worked fine with PuTTY (and IPA with
> discovery) but whether that applies now or not I have no idea.
>
> Mac I think should work similar to Linux: provide a krb5.conf and things
> should just work. Again, you'll likely have to tweak the configuration
> depending on what version of MIT Mac ships these days.
>
>
> kinit --version
>
> kinit (Heimdal 1.5.1apple1)
>
>
> So my first test with the server krb5.conf file copied into /etc:
>
> kinit: krb5_get_init_creds: unable to reach any KDC in realm
> OURDOMAIN.EDU <https://urldefense.proofpoint.com/v2/url?u=http-3A__OURDOMAIN.EDU&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-mh9EMR9ThvbbzJ4oF3FS47k5xSVGi4Rk7JDdv-tnnM&s=49lc1am6Vh9D05Rx3amGJl3ybYJcmnNJW9B1ueHCU98&e= >, tried 0 KDCs
>
>
> So the first suggestion <https://urldefense.proofpoint.com/v2/url?u=https-3A__apple.stackexchange.com_a_273064&d=DwIDaQ&c=aqMfXOEvEJQh2iQMCb7Wy8l0sPnURkcqADc2guUW8IM&r=X0jL9y0sL4r4iU_qVtR3lLNo4tOL1ry_m7-psV3GejY&m=-mh9EMR9ThvbbzJ4oF3FS47k5xSVGi4Rk7JDdv-tnnM&s=2azzgAoXmNlcuri8IrXTHuypSek24uXkwNNPMeCpi40&e= > I
> found was to preface kdc = tcp
>
> Then I made sure the firewall on the Mac was disabled. I also added the
> test IPA server & IP into /etc/hosts. I can ping it successfully.
>
> What else needs to change?
It's difficult to troubleshoot in a void. I don't know your network
configuration nor what krb5.conf you're using. It sure looks like
discovery of the KDC over DNS failed.
I configured the following in krb5.conf and now at least get prompted for a password and kinit works!:
[libdefaults]
dns_lookup_kdc = no
dns_lookup_realm = no
However ssh -k on both a Mac and Windows PC do NOT automatically log me in and only the NIS password works. From ssh -vv all I see is:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
And from the ssh logs:
Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0
Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid: 99/99 (e=0/0)
Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0
Mar 18 15:52:48 ourserver sshd[634486]: debug1: temporarily_use_uid: 99/99 (e=0/0)
Mar 18 15:52:48 ourserver sshd[634486]: debug1: restore_uid: 0/0
Mar 18 15:52:48 ourserver sshd[634486]: Failed publickey for ouruser from x.x.x.x port 51827 ssh2: ED25519 SHA256:BH1fuycgWofiOBV9lPK4XB2vYK3frN2FKv208PnmENI
Mar 18 15:52:48 ourserver sshd[634486]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: attempt 3 failures 2 [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: keyboard-interactive devs [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge: user=ouruser devs= [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: kbdint_alloc: devices 'pam' [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
Mar 18 15:52:48 ourserver sshd[634486]: Postponed keyboard-interactive for ouruser from x.x.x.x port 51827 ssh2 [preauth]
Mar 18 15:52:58 ourserver sshd[634508]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=ouruser
Mar 18 15:52:58 ourserver sshd[634508]: pam_sss(sshd:auth): received for user ouruser: 9 (Authentication service cannot retrieve authentication info)
Mar 18 15:53:00 ourserver sshd[634486]: error: PAM: Authentication failure for ouruser from x.x.x.x
Mar 18 15:53:00 ourserver sshd[634486]: Failed keyboard-interactive/pam for ouruser from x.x.x.x port 51827 ssh2
Mar 18 15:53:00 ourserver sshd[634486]: debug1: userauth-request for user ouruser service ssh-connection method keyboard-interactive [preauth]
So is there some other configuration that needs to be set to pass on/through from kinit/ticket to ssh, on Windows and Mac? Perhaps something in krb5.conf?