Mariusz, I do not want to hijack your thread, so I am starting another. I would be very interested to know your FreeIPA/RADIUS configuration.
______________________________________________________________________________________________ Daniel E. White [email protected]<mailto:[email protected]> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290 From: FreeIPA-Users <[email protected]> Reply-To: FreeIPA-Users <[email protected]> Date: Friday, February 19, 2021 at 08:51 To: FreeIPA-Users <[email protected]> Cc: Mariusz Stysiak <[email protected]> Subject: [EXTERNAL] [Freeipa-users] MFA for AD users Hello List, I'd really appreciate some insight here. I've setup FreeIpa POC (centos7, freeipa 4.7, two freeipa servers as multimaster along with some clients). Added OTP's for several users and made it work with RADIUS for vpn access authentication purpose. Next, I've added AD trust and I am able to log in as AD user. All groovy. Now I'd like to enforce MFA for AD users by adding OTP tokens for them. Is it possible at all? Since AD user authenticates against AD, shouldn't it be AD who provides MFA? FreeIPA behaves strangely when it comes to AD users (mapped via external group and POSIX group): AD user 'ipatest' is visible with 'id' command (and has it's own UID GID and so on) but cannot be found via 'ipa user-find' command even with specific UID provided: admin@ipa-poc-1 ~ $ id [email protected]<mailto:[email protected]> uid=748801177([email protected]<mailto:[email protected]>) gid=748801177([email protected]<mailto:[email protected]>) groups=748801177([email protected]<mailto:[email protected]>),748800513(domain [email protected]<mailto:[email protected]>),748801180([email protected]<mailto:[email protected]>),793600008(ad_users) admin@ipa-poc-1 ~ $ ipa user-find ipatest --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find [email protected]<mailto:[email protected]> --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- admin@ipa-poc-1 ~ $ ipa user-find ipatest@TRUSTEDOMAIN-LAB --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 admin@ipa-poc-1 ~ $ ipa user-find uid=748801177 --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- I reckon it is due to the one-way trust with AD domain but not sure here. Since "ipa otptoken-add' command requires 'owner' parameter (type string and doesn't work with UID) I cannot add OTP token for this user. Another approach I've tried (since ipa otptoken-add command by default uses current user as owner) was to log on as AD user and create OTP token 'for myself', but it didn't work either: [email protected]<mailto:[email protected]>@ipa-poc-1 ~ $ kinit [email protected]<mailto:[email protected]> Password for [email protected]<mailto:[email protected]>: [email protected]<mailto:[email protected]>@ipa-poc-1 ~ $ ipa otptoken-add --type='TOTP' ipa: ERROR: cannot connect to 'any of the configured servers': https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fipa-poc-1.lab%2Fipa%2Fjson&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C2a65bcb94fbc4bffda4608d8d4dd6dac%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637493394780253777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=QfREPY3YJ2xcNnZm%2FiK47Aq184jwisgBCkQLZjh%2FA5o%3D&reserved=0, https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fipa-poc-2.lab%2Fipa%2Fjson&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C2a65bcb94fbc4bffda4608d8d4dd6dac%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637493394780253777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=r%2Brmbp95nTgfFlLzd3WxUevK1RgSNfNRbSZ26NIkCec%3D&reserved=0 So, to make it short: Is it possible to add OTP token to external AD user? How to do it? rgrds M. _______________________________________________ FreeIPA-users mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]> Fedora Code of Conduct: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C2a65bcb94fbc4bffda4608d8d4dd6dac%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637493394780253777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tBEhAd7jYyEVrqGevP31KwsXuy3x6JA1lUd%2Fz6C9HmE%3D&reserved=0 List Guidelines: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C2a65bcb94fbc4bffda4608d8d4dd6dac%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637493394780253777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cuF%2Beb0sMSXcXBM%2FqxypehFczIPge5V7gpSEKJePBK0%3D&reserved=0 List Archives: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C2a65bcb94fbc4bffda4608d8d4dd6dac%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637493394780253777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pLgmMfq9eJRaIhftLj5h2Qge%2BNGMKOH9JO8Ly%2BrygQw%3D&reserved=0 Do not reply to spam on the list, report it: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C2a65bcb94fbc4bffda4608d8d4dd6dac%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637493394780253777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gbfRVO05KFSC9McxnHIaNgLgysmjWsy5SqFpbMhJCOA%3D&reserved=0
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
