On ke, 18 tammi 2023, John Smith via FreeIPA-users wrote:
Morning All,
I'm trying to do almost the same as it was demoed here:
https://www.youtube.com/watch?v=NorXJN3tw3Q&themeRefresh=1 [Break ice
or don't login twice: FreeIPA and OAuth 2.0]. In particular I'm trying
to let authorize linux ussers (ssh) with OAuth2.0 Azure AD. I already
registered new app in Azure AD (so I have new Client ID), then I add
new idp like it was described here:
https://freeipa.readthedocs.io/en/latest/designs/external-idp/idp-api.html#microsoft-idps
and
https://freeipa.readthedocs.io/en/latest/workshop/12-external-idp-support.html#add-idp-reference-to-ipa.
I created new user and attached him to AD idp.
Sadly I have some issues with make whole thing work.
I run for this on clean fedora 37 OS:
---
[root@ipa2 log]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
---
I installed freeipa-server in version 4.10.1:
---
[root@ipa2 log]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
---
and all components seems to be working:
---
[root@ipa2 log]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
---
However when im trying to do:
---
[root@ipa2 ~]# kinit -T ./fast.ccache testuser2
Authenticate with PIN RJ4TEQ3KW at https://microsoft.com/devicelogin and press
ENTER.:
kinit: Preauthentication failed while getting initial credentials
---
of course the link provided in commandilne is valid and i can proceed
with the authorization with no issues and get SUCCESS at the end,
however for freeipa the response is always the same:
[kinit: Preauthentication failed while getting initial credentials.]
I already noticed that the error occurs almost immiadetely after
running [ kinit -T ./fast.ccache testuser2 ], so freeipa is not even
waiting for me to log on https://microsoft.com/devicelogin website:
I see in journactl such flow:
---
[root@ipa2 log]# journalctl --follow /usr/libexec/ipa/ipa-otpd
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE):
idp query end: ad
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE):
oauth2 start: Get device code
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE): Received:
[{"device_code":"EAQABAAEAAAD--DLA3VO7QrddgJg7Wevr7iawpzAIiCTXDx5OKQCTvg3u_0IfN7car7U1-ErltsJ_HqupRB-wsm-ls_tCZYc3Z98zG-jVx_xXmZ7oIg5LkxswyAJocRVtTygHdN9sDrHb9lhfGYSZPizy0hEMKGHfhgPaiDtnW3muH-izoWktC_PXqqgJC08d2apcLI8RK6YgAA","expires_in":900,"interval":5}
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2 {"verification_uri":
"https://microsoft.com/devicelogin";, "user_code": "EWVEHBCR6"}
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: ]
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE):
sent: 0 data: 371
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE):
..sent: 371 data: 371
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY DOMAIN HERE):
response sent: Access-Challenge
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: oauth2.c:088: Child
finished with status [0].
Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: Socket closed, shutting
down...
---
[Jan 18 14:45:49 ipa2.tribecloud.io ipa-otpd[2596]: testuser1@(MY
DOMAIN HERE): response sent: Access-Challenge] - I have an impression
that request is ended almost in the same second when it starts.
In messages logs:
---
Jan 18 15:13:42 ipa2 systemd[1]: /usr/lib/systemd/system/[email protected]:10:
Standard output type syslog is obsolete, automatically updating to journal.
Please update your unit file, and consider removing the setting altogether.
Jan 18 15:13:42 ipa2 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 18 15:13:42 ipa2 systemd[1]: Started [email protected] - ipa-otpd
service (PID 1182/UID 0).
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: LDAP: ldapi://%2Frun%2Fslapd-(MY DOMAIN
HERE).socket
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): request
received
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query
start
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): user query
end: uid=testuser1,cn=users,cn=accounts,dc=tribecloud,dc=io
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query
start: cn=ad,cn=idp,dc=tribecloud,dc=io
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): idp query end:
ad
Jan 18 15:13:42 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): oauth2 start:
Get device code
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): Received:
[{"device_code":"FAQABAAEAAAD--DLA3VO7QrddgJg7Wevr9pXKAjhGk35vFXJUS2CnmQ0ASimeHG_O_I9Ws_CW4GVxOBdb_80yKD2giSQ4SE9PzYEEuCYhzsq70plMMb8XQzgVbYUhe-Mfa85Zb96X8eUAD1PLRh6zO_2i5EMA_hsFXyhC-QDO_uOA64QsoHOFHP5C-FQTbaAYegdUiRlMWj4gAA","expires_in":900,"interval":5}
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2 {"verification_uri":
"https://microsoft.com/devicelogin";, "user_code": "FW5GFFLMH"}
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: ]
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): sent: 0 data:
371
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): ..sent: 371
data: 371
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: testuser1@(MY DOMAIN HERE): response sent:
Access-Challenge
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: oauth2.c:088: Child finished with status
[0].
Jan 18 15:13:43 ipa2 ipa-otpd[2840]: Socket closed, shutting down...
Jan 18 15:13:43 ipa2 systemd[1]: [email protected]: Deactivated
successfully.
Jan 18 15:13:43 ipa2 audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@19-1182-0 comm="systemd"
exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
---
User configuration:
---
[root@ipa2 log]# ipa user-show testuser2
User login: testuser2
First name: Test
Last name: User2
Home directory: /home/testuser2
Login shell: /bin/bash
Principal name: testuser2@(MY DOMAIN HERE)
Principal alias: testuser2@(MY DOMAIN HERE)
Email address: testuser2@(MY DOMAIN HERE)
UID: 608800004
GID: 608800004
User authentication types: idp
External IdP configuration: ad
External IdP user identifier: john@(MY DOMAIN HERE)
Account disabled: False
Password: False
Member of groups: ipausers
Kerberos keys available: False
---
idp config:
---
[root@ipa2 log]# ipa idp-show ad
Identity Provider server name: ad
Authorization URI: https://login.microsoftonline.com/(My tenant ID
HERE)/oauth2/v2.0/authorize
Device authorization URI: https://login.microsoftonline.com/(My tenant ID
HERE)/oauth2/v2.0/devicecode
Token URI: https://login.microsoftonline.com/(My tenant ID
HERE)/oauth2/v2.0/token
User info URI: https://graph.microsoft.com/oidc/userinfo
JWKS URI: https://login.microsoftonline.com/common/discovery/v2.0/keys
Client identifier: (MY client ID Here)
Scope: openid email
External IdP user identifier attribute: email
---
I couldn't figure out what is going on, do you have any ideas, advices
how I can solve that and let me to use OAuth with Azure AD?
It should work but we have one bug in a released SSSD versions: it does
not support confidential clients yet. If your OAuth2 client definition in
Azure AD has a secret defined, it will not work. You need to define a
public OAuth2 client.
This is fixed in SSSD already: https://github.com/SSSD/sssd/pull/6311
but I am not sure whether this was released to Fedora 37 (judging by
2.8.2 tag in sssd git repo, it should...).
Sumit, any ideas?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
