Hi all. I would like your help to fix next issue What we need. We configured freeradius server to use it as authentication method for freeipa users. When we use option password (I mean password configured in ipa server itself) everything works. If we change authentication method to RADIUS we have next problems. User password on ipa client not cached. So if users go home with laptop and have no access to ipa server they can't log in to their ubuntu. Behavior on ipa server:
User with local password # kinit local-user Password for [email protected]: It works krb5kdc.log ec 11 17:57:23 our.domain.com krb5kdc[1571](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.41.100.15: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Dec 11 17:57:23 our.domain.com krb5kdc[1571](info): closing down fd 11 Rows below after enter password Dec 11 17:58:17 our.domain.com krb5kdc[1571](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.41.100.15: ISSUE: authtime 1733932697, etypes {rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha384-192(20)}, [email protected] for krbtgt/[email protected] Dec 11 17:58:17 our.domain.com krb5kdc[1571](info): closing down fd 11 RADIUS user # kinit radius-user kinit: Pre-authentication failed: Invalid argument while getting initial credentials So ticket not created krb5kdc.log Dec 11 18:04:26 our.domain.com krb5kdc[1571](info): AS_REQ (4 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17)}) 10.41.100.15: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Dec 11 18:04:26 our.domain.com krb5kdc[1571](info): closing down fd 11 Additional strange behaviour. If i try to log in to ipa server via ssh with local user it asks me password. If I try to log in to ipa server with radius user it asks me first factor and second factor. it accepts password for the first factor and empty 2nd factor. And let's me log-in. Thank you in advance. I can provide any additional info -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
