If OTP is enabled the user cannot perform kinit.
Steps to reproduce: 1. As admin, create a new user with password. 2. Enable OTP authentication for this user. 3. Create an either TOTP or HOTP token for this user. 4. Run kinit as this user.
Actual result:
$ kinit testuser kinit: Generic preauthentication failure while getting initial credentials
When the OTP authentication is disabled for this user, kinit will work normally (i.e. prompting for password).
Expected result: The kinit should work with OTP.
Currently, this is either "by design" or "known issue." FAST is required, so you need to use the kinit -T option. We are currently exploring enabling FAST automatically where possible. For more details, see: http://mailman.mit.edu/pipermail/krbdev/2014-May/011958.html
Nathaniel, please update the design document to mention this limitation and then close this ticket.
FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.
Not a priority for 4.0 - postponing.
FreeIPA 4.1.1 was released.
4.1.2 was released.
4.1.3 was released.
4.1.4 was released, moving to new milestone
Moving tickets as per freeipa-devel message.
FreeIPA 4.2.1 was released, moving to 4.2.x.
It seems like this makes it impossible to enrol a new system with ipa-client-install , if the user(s) who can enrol new systems are 2FA-only?
I wanted to make it so my FreeIPA admin user is 2FA-only, but if I try to enrol a new client with freeipa-client-install , it seems it calls 'kinit admin@mydomain -c /tmp/sometmpfile' and hits exactly this error...so I'm kinda stuck, right, unless I temporarily disable 2FA for my admin user? That sucks.
edit: well, you can use a one-time password for enrolment I guess.
This is the current limitation of kinit. Sorry.
Requires SPAKE or #5678 therefore moving out of 4.3.x
Metadata Update from @edewata: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.5 backlog
It seems like this makes it impossible to enrol a new system with ipa-client-install , if the user(s) who can enrol new systems are 2FA-only? I wanted to make it so my FreeIPA admin user is 2FA-only, but if I try to enrol a new client with freeipa-client-install , it seems it calls 'kinit admin @mydomain -c /tmp/sometmpfile' and hits exactly this error...so I'm kinda stuck, right, unless I temporarily disable 2FA for my admin user? That sucks. edit: well, you can use a one-time password for enrolment I guess.
@adamwill How did you solve this?
@rdegraaff We have a separate issue to track enrollment with 2FA enabled. Since we now support PKINIT in 4.5+, this can be done by utilizing anonymous PKINIT. See https://pagure.io/freeipa/issue/6665
Metadata Update from @abbra: - Issue close_status updated to: None
@rdegraaff sorry, I honestly don't remember whether or how I did. I probably temporarily disabled 2FA.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1510734 (was: 0)
Issue linked to bug 1510734
For anyone ending up in this thread, please follow these steps to make kinit work with OTP: https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit
Log in to comment on this ticket.