Hi,
I have read several pages on getting IPA and Clouder Manager working together to make nice with Kerberos, however, having an issue following the various steps. When I run through CM set and put the primary account in I run into the classic "Preauth required" and yet, I can kinit the account with no issues, so I am wondering if there are any hints on debugging this? What is typically the cuase of that kind of error?
Thanks K
On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
Hi,
I have read several pages on getting IPA and Clouder Manager working together to make nice with Kerberos, however, having an issue following the various steps. When I run through CM set and put the primary account in I run into the classic "Preauth required" and yet, I can kinit the account with no issues, so I am wondering if there are any hints on debugging this? What is typically the cuase of that kind of error?
Kat, does something fail, or are you simply concerned with the error showing up in the kdc logs ?
This error is 'expected' in modern kerberos implementations. The original krb5 protocol did not use pre-authentication and that made it subject to offline dictionary attacks. So to "fix" this hole, pre-authentication mechanism were introduced.
The requirement to pre-authenticate is communicated to the client in form of a "Preauth required" error. This is to preserve protocol compatibility with previous clients and allow a client to discover what kind of pre-authentication is allowed by the KDC (the allowed pre-auth types list is returned together with the error).
HTH, Simo.
Hi Simo,
I understand the mechanics of the error, however, when you are trying to configure Cloudera Manager with IPA, the configuration/setup process fails with the error (and it shows in logs) and therefore, CM does not finish the configuration.
I was also just reading: https://community.cloudera.com/t5/Cloudera-Manager-Installation/Add-Support-...
Which has Dmitri discussing things with Cloudera. The problem seems to be that although CM has a script for custom principal retrievals, maybe what I am seeing here is that it is the ipa-client install that causes the problems? Or am I missing the boat completely?
-K
On 6/2/17 7:59 AM, Simo Sorce wrote:
On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
Hi,
I have read several pages on getting IPA and Clouder Manager working together to make nice with Kerberos, however, having an issue following the various steps. When I run through CM set and put the primary account in I run into the classic "Preauth required" and yet, I can kinit the account with no issues, so I am wondering if there are any hints on debugging this? What is typically the cuase of that kind of error?
Kat, does something fail, or are you simply concerned with the error showing up in the kdc logs ?
This error is 'expected' in modern kerberos implementations. The original krb5 protocol did not use pre-authentication and that made it subject to offline dictionary attacks. So to "fix" this hole, pre-authentication mechanism were introduced.
The requirement to pre-authenticate is communicated to the client in form of a "Preauth required" error. This is to preserve protocol compatibility with previous clients and allow a client to discover what kind of pre-authentication is allowed by the KDC (the allowed pre-auth types list is returned together with the error).
HTH, Simo.
On Fri, 2017-06-02 at 10:10 -0500, Kat wrote:
Hi Simo,
I understand the mechanics of the error, however, when you are trying to configure Cloudera Manager with IPA, the configuration/setup process fails with the error (and it shows in logs) and therefore, CM does not finish the configuration.
I am not familiar with clouders, if it depends on the kadmin interface, then it will not work as in FreeIPA thatintrerface is read-only.
If the only issue is using a keytab where they use some old kerberos component that does not handle preauthenticated encryption, then you can go into freeipa and lift the requirement to perform preauthentication for that specific principal.
ipa service-mod my/principal@REALM --requires-pre-auth=false
HTH, Simo.
I was also just reading: https://community.cloudera.com/t5/Cloudera-Manager-Installation/Add-S upport-for-FreeIPA-to-CM/td-p/34582
Which has Dmitri discussing things with Cloudera. The problem seems to be that although CM has a script for custom principal retrievals, maybe what I am seeing here is that it is the ipa-client install that causes the problems? Or am I missing the boat completely?
-K
On 6/2/17 7:59 AM, Simo Sorce wrote:
On Thu, 2017-06-01 at 14:24 -0500, Kat via FreeIPA-users wrote:
Hi,
I have read several pages on getting IPA and Clouder Manager working together to make nice with Kerberos, however, having an issue following the various steps. When I run through CM set and put the primary account in I run into the classic "Preauth required" and yet, I can kinit the account with no issues, so I am wondering if there are any hints on debugging this? What is typically the cuase of that kind of error?
Kat, does something fail, or are you simply concerned with the error showing up in the kdc logs ?
This error is 'expected' in modern kerberos implementations. The original krb5 protocol did not use pre-authentication and that made it subject to offline dictionary attacks. So to "fix" this hole, pre-authentication mechanism were introduced.
The requirement to pre-authenticate is communicated to the client in form of a "Preauth required" error. This is to preserve protocol compatibility with previous clients and allow a client to discover what kind of pre-authentication is allowed by the KDC (the allowed pre- auth types list is returned together with the error).
HTH, Simo.
On pe, 02 kesä 2017, Simo Sorce via FreeIPA-users wrote:
On Fri, 2017-06-02 at 10:10 -0500, Kat wrote:
Hi Simo,
I understand the mechanics of the error, however, when you are trying to configure Cloudera Manager with IPA, the configuration/setup process fails with the error (and it shows in logs) and therefore, CM does not finish the configuration.
I am not familiar with clouders, if it depends on the kadmin interface, then it will not work as in FreeIPA thatintrerface is read-only.
If the only issue is using a keytab where they use some old kerberos component that does not handle preauthenticated encryption, then you can go into freeipa and lift the requirement to perform preauthentication for that specific principal.
ipa service-mod my/principal@REALM --requires-pre-auth=false
I did already refer to this blogpost the other week: https://mapredit.blogspot.fi/2016/10/freeipa-and-hadoop-distributions-hdp-cd...
freeipa-users@lists.fedorahosted.org