[Pkg-freeipa-devel] Bug#1116383: freeipa-client: One Time Pass (OTP) is not usable

Stephane Poss stephane.poss at airnavigation.aero
Fri Sep 26 14:55:21 BST 2025 

Package: freeipa-client
Version: 4.12.4-1
Severity: normal

Dear Maintainer,

I have setup an IPA account using 2FA. SSH login works properly with ssh key, but not with password: krb5kdc returns 'NEEDED_PREAUTH'. 'sudo su' generates an error in krb5_child: Resource temporarily unavailable

usert at server:~$ KRB5_TRACE=/dev/stderr  kinit user at XXXX.XX
[1333] 1758891640.523997: Matching user at XXXX.XX in collection with result: -1765328243/Can't find client principal user at XXXX.XX in cache collection
[1333] 1758891640.523998: Getting initial credentials for sposs at AIRNAVIGATION.AERO
[1333] 1758891640.524000: Sending unauthenticated request
[1333] 1758891640.524001: Sending request (197 bytes) to AIRNAVIGATION.AERO
[1333] 1758891640.524002: Initiating TCP connection to stream XXX.XXX.XXX.XXX:88
[1333] 1758891640.524003: Sending TCP request to stream XXX.XXX.XXX.XXX:88
[1333] 1758891640.524004: Received answer (258 bytes) from stream XXX.XXX.XXX.XXX:88
[1333] 1758891640.524005: Terminating TCP connection to stream XXX.XXX.XXX.XXX:88
[1333] 1758891640.524006: Response was from primary KDC
[1333] 1758891640.524007: Received error from KDC: -1765328359/Additional pre-authentication required
[1333] 1758891640.524010: Preauthenticating using KDC method data
[1333] 1758891640.524011: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1333] 1758891640.524012: Received cookie: MIT
[1333] 1758891640.524013: PKINIT client has no configured identity; giving up
[1333] 1758891640.524014: Preauth module pkinit (147) (info) returned: 0/Success
[1333] 1758891640.524015: PKINIT client received freshness token from KDC
[1333] 1758891640.524016: Preauth module pkinit (150) (info) returned: 0/Success
[1333] 1758891640.524017: PKINIT client has no configured identity; giving up
[1333] 1758891640.524018: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Another account without 2FA presents something like
[...]
[1338] 1758891659.272110: Preauthenticating using KDC method data
[1338] 1758891659.272111: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1338] 1758891659.272112: Selected etype info: etype aes256-cts, salt "d6LxUr,b[aoD.7]B", params ""
[1338] 1758891659.272113: Received cookie: MIT1\x00\x00\x00\x01\x1d\xcah\x[...]
[1338] 1758891659.272114: PKINIT client has no configured identity; giving up
[1338] 1758891659.272115: Preauth module pkinit (147) (info) returned: 0/Success
[1338] 1758891659.272116: PKINIT client received freshness token from KDC
[1338] 1758891659.272117: Preauth module pkinit (150) (info) returned: 0/Success
[1338] 1758891659.272118: PKINIT client has no configured identity; giving up
[1338] 1758891659.272119: Preauth module pkinit (16) (real) returned: 22/Invalid argument
[1338] 1758891659.272120: SPAKE challenge received with group 1, pubkey CB842AA93711EBF282A6537622542450D24085A1240...
Password for otheruser at XXXX.XX: 
[1338] 1758891668.641440: SPAKE key generated with pubkey 772617E157E10334303199B97BF8DD5418...
[1338] 1758891668.641441: SPAKE algorithm result: C6ACFD8C40D1B443A529BB7F8A5B6FB09D33393F41E4FACBED...
[1338] 1758891668.641442: SPAKE final transcript hash: 07B784AB0423F00F0C62409302D10434861A16BBB88703...
[...]
and kinit succeeds properly.

While trying to resolve the issue, I installed krb5-pkinit, but that did not solve the issue.

According to https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/REV7YNUW2RIIRBDNVYBU4PNTSY6ZM2MO/, the order of the entries in /etc/pam.d/common-auth matter for this to work properly. Raised in https://bugs.debian.org/1001644

All this works perfectly fine in debian 12.

-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-cloud-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeipa-client depends on:
ii  bind9-dnsutils               1:9.20.11-4
ii  bind9-utils                  1:9.20.11-4
ii  certmonger                   0.79.20-2
ii  curl                         8.14.1-2
ii  freeipa-common               4.12.4-1
ii  krb5-user                    1.21.3-5
ii  libc6                        2.41-12
ii  libcom-err2                  1.47.2-3+b3
ii  libcurl4t64                  8.14.1-2
ii  libini-config5t64            0.6.2-3
ii  libjansson4                  2.14-2+b3
ii  libk5crypto3                 1.21.3-5
ii  libkrb5-3                    1.21.3-5
ii  libldap2                     2.6.10+dfsg-1
ii  libnss-sss                   2.10.1-2+b1
ii  libnss3-tools                2:3.110-1
ii  libpam-sss                   2.10.1-2+b1
ii  libpopt0                     1.19+dfsg-2
ii  libsasl2-modules-gssapi-mit  2.1.28+dfsg1-9
ii  libssl3t64                   3.5.1-1
ii  libsss-sudo                  2.10.1-2+b1
ii  oddjob-mkhomedir             0.34.7-2.1
ii  python3                      3.13.5-1
ii  python3-dnspython            2.7.0-1
ii  python3-gssapi               1.9.0-1+b2
ii  python3-ipaclient            4.12.4-1
ii  python3-ldap                 3.4.4-1+b5
ii  python3-sss                  2.10.1-2+b1
ii  sssd                         2.10.1-2+b1

Versions of packages freeipa-client recommends:
ii  chrony        4.6.1-3
pn  sssd-passkey  <none>

Versions of packages freeipa-client suggests:
pn  libnss-myhostname  <none>
pn  libpam-krb5        <none>

-- no debconf information

More information about the Pkg-freeipa-devel mailing list