When activating RADIUS authentication on a user, He seems to be unable to login using PKINIT and a certificate anymore.
The pkinit authentication with the certificate fail but the pkinit command through radius work.
The user may authenticate with the certificate or the radius password.
ipa-server-4.8.7-16.0.1.module+el8.3.0+20007+a5dde1bf.x86_64 ipa-client-4.8.7-16.0.1.module+el8.3.0+20007+a5dde1bf.x86_64 389-ds-base-1.4.3.8-7.module+el8.3.0+20006+53cafd96.x86_64 pki-ca-10.9.4-3.0.1.module+el8.3.0+el8+9692+a35cea4e.noarch krb5-server-1.18.2-5.el8.x86_64
Apr 26 16:12:40 example.com krb5kdc9082: Initializing IPA certauth plugin. Apr 26 16:12:40 example.com krb5kdc9082: sss_certmap initialized. Apr 26 16:12:40 example.com krb5kdc9082: Doing certauth authorize for [user@EXAMPLE.COM] Apr 26 16:12:40 example.com krb5kdc9082: Got cert filter [(ipacertmapdata=X509:O=EXAMPLE.COM,CN=Certificate\20Authority<S>O=EXAMPLE.COM,CN=user)] Apr 26 16:12:40 example.com krb5kdc9082: PKINIT: freshness token received from user@EXAMPLE.COM Apr 26 16:12:40 example.com krb5kdc9082: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), UNSUPPORTED:des3-hmac-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 1.1.1.45: PKINIT pre-authentication not allowed for this user.: user@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, KDC policy rejects request
I did a bit of search to understand how the authentication is processed by the freeipa kerberos module. A line a code triggered some questions. This patch : https://github.com/freeipa/freeipa/commit/204200d73bb135cb7b9b31b8f1ba5268d73094a5 introduced a change on the ipadb_validate_radius function. This function check if the user has a RADIUS configuration. But in case the RADIUS config exist, the user's authentication methods seems to be overridden with only the RADIUS authentication : *ua = IPADB_USER_AUTH_RADIUS;
Please see https://github.com/freeipa/freeipa/pull/5734/files for the details of how it works now.
Thanks for this link @abbra ! If I understand well, when the RADIUS authentication is configured the others authentication mechanism are not allowed for the user ?
How may I allow a user to authenticate with a certificate generated by freeipa CA or with a password+otp verified by a radius server ?
Thank you very much for your help
Currently you cannot, as outlined in that design document. If you want to experiment, you may want to change line 306 from the commit you mentioned to
*ua |= IPADB_USER_AUTH_RADIUS;
This would make sure the other auth methods aren't cleared.
Thank you very much for your answers !
Metadata Update from @josselin: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Re-opening. I think this is something we can address.
We'll need to update the design in PR https://github.com/freeipa/freeipa/pull/5734 to include this as multiple mechanisms should work for either LDAP or Kerberos auth.
Metadata Update from @rcritten: - Issue status updated to: Open (was: Closed)
Hi, I experimented removing the lines :
else *ua = IPADB_USER_AUTH_RADIUS;
as the IPADB_USER_AUTH_RADIUS bit is already set if we are reaching these lines. With this patch, I could authenticate either with the radius OTP and with the IPA certificate. I don't have the knowledge right now to understand the general impact this removal could generate.
master:
Login to comment on this ticket.