Bug 1510734

Summary: Unable to kinit with IPA user(if 2FA is enabled in IPA)
Product: Red Hat Enterprise Linux 9 Reporter: Akshay Sakure <asakure>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: NEW --- QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, frenaud, ipa-maint, pasik, pvoborni, rcritten, striker, tscherf, vmishra, vvanhaft
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Akshay Sakure 2017-11-08 06:29:01 UTC 
Description of problem:
If 2FA(password + otp) is enabled for IPA user it cannot perform kinit.
kinit fails with:
---
$ kinit testuser
kinit: Preauthentication failed while getting initial credentials
---

Version-Release number of selected component (if applicable):
Latest version of IPA and sssd

How reproducible:
Always

Steps to Reproduce:
1. As admin, create a new user with password.
2. Enable OTP authentication for this user.
3. Create an either TOTP or HOTP token for this user.
4. Run kinit as this user.

Actual results:
---
$ kinit testuser
kinit: Generic preauthentication failure while getting initial credentials
---

Expected results:
kinit should work for 2FA(password + otp) enabled IPA user

Additional info:
This is clone of upstream ticket https://pagure.io/freeipa/issue/4411
Comment 2 Akshay Sakure 2017-11-08 06:30:24 UTC 
Workaround is available as per: http://www.freeipa.org/page/V4/OTP#kinit_Method
Comment 3 Petr Vobornik 2017-11-09 15:03:51 UTC 
kinit, to use 2 factor authentication, requires a so called FAST channel. This channel can be obtained by kiniting as different principal. E.g. admin as showed in "workaround" in comment 2. 

Alternative is to use SSSD which has access to host keytab and can thus establish the FAST channel automatically for the user - e.g. during authentication to the host.

But for users who have access to only their Kerberos credential and no keytab and need to use kinit directly there is one alternative: anonymous PKINIT.

IdM on RHEL 7.4 introduced support for anonymous PKINIT.

Design page: https://www.freeipa.org/page/V4/Kerberos_PKINIT
How to use: https://www.freeipa.org/page/V4/Kerberos_PKINIT#How_to_Use

To paste it here:
   kinit -n
   klist
   ARMOR_CCACHE=$(klist|grep cache:|cut -d' ' -f3-)
   kinit -T $ARMOR_CCACHE principal@REALM 

(so it can be scripted)

This will only work if IPA server has pkinit enabled. That can be checked with command:
   ipa-pkinit-manage status
Comment 4 Petr Vobornik 2017-11-13 16:36:50 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/4411