<div dir="ltr">Hello all.<div><br></div><div>I trying to use OTP auth in Freeipa but have some problems.</div><div><br></div><div>I have user <u>test:</u></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>[root@ipa-centos]# ipa user-show test</div></div><div><div> User login: test</div></div><div><div> First name: test</div></div><div><div> Last name: test</div></div><div><div> Home directory: /home/test</div></div><div><div> Login shell: /bin/sh</div></div><div><div> Principal name: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a></div></div><div><div> Principal alias: <a href="mailto:test@MYDOMAIN.COM">test@MYDOMAIN.COM</a></div></div><div><div> Email address: <a href="mailto:test@mydomain.com">test@mydomain.com</a></div></div><div><div> UID: 152200001</div></div><div><div> GID: 152200001</div></div><div><div> Account disabled: False</div></div><div><div> Password: True</div></div><div><div> Member of groups: trust admins, ipausers, admins</div></div><div><div> Kerberos keys available: True</div></div><div><div> </div></div></blockquote>And his token:<div><br><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>[root@ipa-centos]# ipa otptoken-show 7fa47f65-dc72-486e-8dd4-6393c7e389bd</div></div><div><div> Unique ID: 7fa47f65-dc72-486e-8dd4-6393c7e389bd</div></div><div><div> Type: TOTP</div></div><div><div> Owner: test</div></div><div><div> Manager: test</div></div></blockquote><div><div><br></div><div>Server with FreeIpa:</div><div><br></div></div></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><div><div>[root@ipa-centos]# ipa host-show <a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a></div><div> Host name: <a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a></div><div> Principal name: host/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a></div><div> Principal alias: host/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a></div><div> SSH public key fingerprint: %some fingerprints%</div><div> Authentication Indicators: otp</div><div> Password: False</div><div> Member of host-groups: ipaservers</div><div> Keytab: True</div><div> Managed by: <a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a></div></div></div></div></blockquote><div><br></div>And service for freeipa http by default:<div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div>[root@ipa-centos]# ipa service-show http/<a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a></div></div><div><div> Principal name: HTTP/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a></div></div><div><div> Principal alias: HTTP/<a href="mailto:ipa-centos.mydomain.com@MYDOMAIN.COM">ipa-centos.mydomain.com@MYDOMAIN.COM</a></div></div><div><div> Certificate: %cert%</div></div><div><div> Subject: CN=<a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a>,O=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a></div></div><div><div> Serial Number: 9</div></div><div><div> Serial Number (hex): 0x9</div></div><div><div> Issuer: CN=Certificate Authority,O=<a href="http://MYDOMAIN.COM">MYDOMAIN.COM</a></div></div><div><div> Not Before: Tue May 16 11:32:36 2017 UTC</div></div><div><div> Not After: Fri May 17 11:32:36 2019 UTC</div></div><div><div> Fingerprint (MD5): e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1</div></div><div><div> Fingerprint (SHA1): de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04</div></div><div><div> Authentication Indicators: otp</div></div><div><div> Keytab: True</div></div><div><div> Managed by: <a href="http://ipa-centos.mydomain.com">ipa-centos.mydomain.com</a></div></div></blockquote><div><div><br></div><div>As u can see, all properties for OTP auth in Freeipa web interface are applied, but I can login into web interface only using password, if I try logging in with password+otptoken I have error.</div><div><br></div><div>What's wrong?</div><div><br></div><div><div class="gmail_signature"><div dir="ltr">
<p class="gmail-p1"><span class="gmail-s1">[root@ipa-centos]# ipa --version<br></span>VERSION: 4.4.0, API_VERSION: 2.213</p><p class="gmail-p1">[root@ipa-centos]# cat /etc/os-release </p><p class="gmail-p1">NAME="CentOS Linux"<br>VERSION="7 (Core)"<br>ID="centos"<br>ID_LIKE="rhel fedora"<br>VERSION_ID="7"<br>PRETTY_NAME="CentOS Linux 7 (Core)"<br>ANSI_COLOR="0;31"<br>CPE_NAME="cpe:/o:centos:centos:7"<br>HOME_URL="<a href="https://www.centos.org/">https://www.centos.org/</a>"<br>BUG_REPORT_URL="<a href="https://bugs.centos.org/">https://bugs.centos.org/</a>"<br>CENTOS_MANTISBT_PROJECT="CentOS-7"<br>CENTOS_MANTISBT_PROJECT_VERSION="7"<br>REDHAT_SUPPORT_PRODUCT="centos"<br>REDHAT_SUPPORT_PRODUCT_VERSION="7"</p><p class="gmail-p1"><span class="gmail-s1"><br></span></p></div></div>
</div></div></div>