Red Hat Bugzilla – Bug 1251586
KDC sends multiple requests to ipa-otpd for the same authentication
Last modified: 2015-11-19 00:14:19 EST
The patch at the following link fixes the issue and has been submitted upstream. https://github.com/krb5/krb5/pull/308
Pls add steps to verify
1. Clean install of IPA. 2. Log in as admin: kinit admin 3. Add a radius server record (ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo). 4. DO NOT set up an actual radius server. We want the requests to time out. 5. Add a user: ipa user-add foo. 6. Set the user's password: ipa passwd foo 7. Configure user for radius: ipa user-mod foo --radius=foo --user-auth-type=radius 8. In another window, run: journalctl --follow 9. Authenticate as user foo. In the journalctl window, you should see only one request processed by ipa-otpd rather than four.
Taking bug myself and switching to "assigned" ...
(In reply to Nathaniel McCallum from comment #0) > The patch at the following link fixes the issue and has been submitted > upstream. > > https://github.com/krb5/krb5/pull/308 Sigh... ... npmccallum: Do you know any other places in krb5 territory which do a similar kind of retry for UDP which should not be used for reliable transports like TCP ?
(In reply to Nathaniel McCallum from comment #0) > The patch at the following link fixes the issue and has been submitted > upstream. > > https://github.com/krb5/krb5/pull/308 Patch OK, r=rmainz@redhat.com for https://github.com/krb5/krb5/commit/25e0656fdf9862faf9aa91288023776e9a47caad
No. This arose precisely because of the radius code as part of the OTP project.
Patch checked-in (krb5-1.13.2-5.el7) ... ... marking bug as MODIFIED.
Verified based on Comment 3: [root@ibm-x3650m4-01-vm-03 ~]# rpm -q krb5-server ipa-server krb5-server-1.12.2-15.el7_1.x86_64 ipa-server-4.1.0-18.el7_1.4.x86_64 [root@ibm-x3650m4-01-vm-03 ~]# ipa radiusproxy-add --server=localhost.localdomain --retries=0 foo Secret: Enter Secret again to verify: ------------------------------- Added RADIUS proxy server "foo" ------------------------------- RADIUS proxy server name: foo Server: localhost.localdomain Secret: MQ== Retries: 0 [root@ibm-x3650m4-01-vm-03 ~]# ipa user-add foo First name: foo Last name: foo ---------------- Added user "foo" ---------------- User login: foo First name: foo Last name: foo Full name: foo foo Display name: foo foo Initials: ff Home directory: /home/foo GECOS: foo foo Login shell: /bin/sh Kerberos principal: foo@TESTRELM.TEST Email address: foo@testrelm.test UID: 1143400001 GID: 1143400001 Password: False Member of groups: ipausers Kerberos keys available: False [root@ibm-x3650m4-01-vm-03 ~]# ipa passwd foo New Password: Enter New Password again to verify: ---------------------------------------- Changed password for "foo@TESTRELM.TEST" ---------------------------------------- [root@ibm-x3650m4-01-vm-03 ~]# ipa user-mod foo --radius=foo --user-auth-type=radius ------------------- Modified user "foo" ------------------- User login: foo First name: foo Last name: foo Home directory: /home/foo Login shell: /bin/sh Email address: foo@testrelm.test UID: 1143400001 GID: 1143400001 Account disabled: False User authentication types: radius RADIUS proxy configuration: foo Password: True Member of groups: ipausers Kerberos keys available: True [root@ibm-x3650m4-01-vm-03 ~]# journalctl --follow . . . Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_unix(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=...ser=foo Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: request received Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: user query start Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: user query end: uid=foo,cn=users,cn=accounts,dc=testrelm,dc=test Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: radius query start: cn=foo,cn=radiusproxy,dc=testrelm,dc=test Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: radius query end: localhost.localdomain Sep 04 15:11:36 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: forward start: foo / localhost.localdomain Sep 04 15:11:37 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393897.402594] [devices/nm-device.c:2303] activation_source...eduled Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test [sssd[krb5_child[7272]]][7272]: Preauthentication failed Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): authentication failure; logname=root uid=1143400005 euid=0 tty=p...ser=foo Sep 04 15:11:41 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: pam_sss(su:auth): received for user foo: 17 (Failure setting user credentials) Sep 04 15:11:43 ibm-x3650m4-01-vm-03.testrelm.test su[7271]: FAILED SU (to foo) root on pts/0 Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: forward end: Connection timed out Sep 04 15:11:51 ibm-x3650m4-01-vm-03.testrelm.test ipa-otpd[7259]: foo@TESTRELM.TEST: response sent: Access-Reject Sep 04 15:12:03 ibm-x3650m4-01-vm-03.testrelm.test NetworkManager[442]: <error> [1441393923.451953] [devices/nm-device.c:2303] activation_source...eduled
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html