Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1510734 - Unable to kinit with IPA user(if 2FA is enabled in IPA)
Summary: Unable to kinit with IPA user(if 2FA is enabled in IPA)
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
Depends On:
TreeView+ depends on / blocked
Reported: 2017-11-08 06:29 UTC by Akshay Sakure
Modified: 2019-03-25 17:12 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Akshay Sakure 2017-11-08 06:29:01 UTC
Description of problem:
If 2FA(password + otp) is enabled for IPA user it cannot perform kinit.
kinit fails with:
$ kinit testuser
kinit: Preauthentication failed while getting initial credentials

Version-Release number of selected component (if applicable):
Latest version of IPA and sssd

How reproducible:

Steps to Reproduce:
1. As admin, create a new user with password.
2. Enable OTP authentication for this user.
3. Create an either TOTP or HOTP token for this user.
4. Run kinit as this user.

Actual results:
$ kinit testuser
kinit: Generic preauthentication failure while getting initial credentials

Expected results:
kinit should work for 2FA(password + otp) enabled IPA user

Additional info:
This is clone of upstream ticket

Comment 2 Akshay Sakure 2017-11-08 06:30:24 UTC
Workaround is available as per:

Comment 3 Petr Vobornik 2017-11-09 15:03:51 UTC
kinit, to use 2 factor authentication, requires a so called FAST channel. This channel can be obtained by kiniting as different principal. E.g. admin as showed in "workaround" in comment 2. 

Alternative is to use SSSD which has access to host keytab and can thus establish the FAST channel automatically for the user - e.g. during authentication to the host.

But for users who have access to only their Kerberos credential and no keytab and need to use kinit directly there is one alternative: anonymous PKINIT.

IdM on RHEL 7.4 introduced support for anonymous PKINIT.

Design page:
How to use:

To paste it here:
   kinit -n
   ARMOR_CCACHE=$(klist|grep cache:|cut -d' ' -f3-)
   kinit -T $ARMOR_CCACHE principal@REALM 

(so it can be scripted)

This will only work if IPA server has pkinit enabled. That can be checked with command:
   ipa-pkinit-manage status

Comment 4 Petr Vobornik 2017-11-13 16:36:50 UTC
Upstream ticket:

Note You need to log in before you can comment on or make changes to this bug.