[Freeipa-users] 4.1.4 and OTP

Dmitri Pal dpal at redhat.com
Sat Apr 18 00:59:57 UTC 2015 

On 04/17/2015 08:07 PM, Janelle wrote:
>
>
>
>
> On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>> On 04/17/2015 04:52 PM, Janelle wrote:
>>> On 4/17/15 1:19 PM, Dmitri Pal wrote:
>>>> On 04/17/2015 01:20 PM, Janelle wrote:
>>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote:
>>>>>> On 04/17/2015 11:16 AM, Janelle wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Is anyone else having issues with OTP since upgrading? For the 
>>>>>>> life of me I can't get it to accept "Sync" for the tokens. No 
>>>>>>> matter what is put in, it just keeps saying the username, 
>>>>>>> password or tokens entered  are incorrect.
>>>>>>>
>>>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 
>>>>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it 
>>>>>>> just refuses to work.
>>>>>>>
>>>>>>> I create a user -- configure them. They work just fine with a 
>>>>>>> password. Then add a token. Sync with FreeOTP and that all 
>>>>>>> works. Then going back to the web UI and do Sync OTP and it 
>>>>>>> simply refuses to accept any values. And yet the same user can 
>>>>>>> login to the regular web UI with their password.
>>>>>>>
>>>>>>> I have tried setting the user to both Password and OTP for auth 
>>>>>>> methods. And also just OTP and nothing works.
>>>>>>
>>>>>> Please look in the logs to see what is going on.
>>>>>> You would need to look at the KDC, http and DS logs on the server 
>>>>>> to sort out what is going on.
>>>>>>
>>>>>> Do you change the password for the user first after creating him?
>>>>>>
>>>>>> Can you reproduce the problem with demo instance?
>>>>>> http://www.freeipa.org/page/Demo
>>>>>> If you can then we can take a look at the logs right away.
>>>>>> Hints? Am I missing  a step?
>>>>>>
>>>>>> ~J
>>>>>>
>>>>> It appears to be the UI. If I go through the steps and let it 
>>>>> "fail", I can still login using OTP to servers. I made the 
>>>>> assumption that the error itself was not an error.. :-)
>>>>>
>>>>> ~J
>>>>>
>>>> I am not sure I get what you are saying. Do you still see the 
>>>> problem or you misinterpreted the UI and now the problem is gone? 
>>>> If you did is there any recommendation how to improve the UI not to 
>>>> confuse people?
>>>>
>>> The problem exists -- this is what it shows:
>>> HOWEVER, it is still WORKING. Meaning, even if you get this error, 
>>> if you attempt to login with your FreeOTP token, it WORKS.
>>>
>>> ~J
>>>
>>> <mime-attachment.png>
>>>
>>>
>>
>> Does it give you this error when you use password or password and token?
>> Can you please describe the flow of steps in more details?
>> I start browser, go here, click here, enter this, etc.
>>
>> Are you using SSSD to login to servers? Is SSSD configured with IPA 
>> provider or you configured it for LDAP manually. There is a 
>> difference between LDAP and Kerberos authentication.
>>
>> May be the following article will help you to understand the 
>> expectations:
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp
>>
>>
>>
>> I suspect it is some combination of flags and protocols that is confusing
>
> Simple. And my test made it simple.
> Stand up new vm running fc21/freeipa.
> Configure user.
> Add password.
> Add token.
>
> Login to the vm with the user created using password. Kerberos ticket 
> assigned, all is well.
>
> Login to web interface with admin. Change user to OTP only.
> Go to web UI and click sync OTP.
> Enter username, password and 2 OTP sequences. Click sync. Error appears.
>
> Now, ssh to same vm using OTP username. Enter password + OTP value.
> Login successful.

I can reproduce this issue with demo instance.
I will file a bug later today.
I think it is a bug with sync.
Which token do you use time based or event based?

>
> Logout.
> Repeat, but try JUST the password, and it fails.
>
> ???
> ~J


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/8870d124/attachment.htm>

More information about the Freeipa-users mailing list