#6665 ipa-client-install does not support enrollment by users with RADIUS or OTP token
Opened 7 years ago by abbra. Modified 3 years ago

From IRC:

[sudoSamurai] hi all, I'm not sure if someone can help me or if I should file a bug or feature request. I set up an external radius server for two factor token authentication. Everything is working except for ipa-client-install. When it asks for the user to register the host, it won't accept the credentials unless I turn off the radius feature

It seems that a procedure calling for kinit_password in ipaclient.install.client should always use anonymous PKINIT to create a FAST channel and then call kinit_password with the ccache of that to armor the actual password exchange.

In FreeIPA 4.5 we have anonymous PKINIT enabled by default. In case anonymous PKINIT is not available, current behavior can continue (i.e. call kinit_password without armor ccache).

It looks to me that kinit_keytab call can also be enhanced with this approach.


Metadata Update from @abbra:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.7 (was: 0.0 NEEDS_TRIAGE)

7 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

5 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Good morning,

I'm wondering if this issue, and https://pagure.io/freeipa/issue/4411 have been resolved in a more recent release (seeing as we're up to 4.8.x according to the information that I see)? Currently, I'm running EL7, so without upgrading from an outside repo, this may never get backported, but I'd just like to know if this has been resolved?

Thanks in advance,
Michael

There is no implementation to support anonymous PKINIT in ipa-client-install yet. So this issue still stands, regardless of a version used.

Metadata Update from @abbra:
- Issue set to the milestone: None (was: FreeIPA 4.7.1)

3 years ago

Login to comment on this ticket.

Metadata