[Freeipa-users] 4.1.4 and OTP

Janelle janellenicole80 at gmail.com
Sat Apr 18 03:21:19 UTC 2015 

On 4/17/15 5:59 PM, Dmitri Pal wrote:
> On 04/17/2015 08:07 PM, Janelle wrote:
>>
>>
>>
>>
>> On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com 
>> <mailto:dpal at redhat.com>> wrote:
>>
>>> On 04/17/2015 04:52 PM, Janelle wrote:
>>>> On 4/17/15 1:19 PM, Dmitri Pal wrote:
>>>>> On 04/17/2015 01:20 PM, Janelle wrote:
>>>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote:
>>>>>>> On 04/17/2015 11:16 AM, Janelle wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Is anyone else having issues with OTP since upgrading? For the 
>>>>>>>> life of me I can't get it to accept "Sync" for the tokens. No 
>>>>>>>> matter what is put in, it just keeps saying the username, 
>>>>>>>> password or tokens entered  are incorrect.
>>>>>>>>
>>>>>>>> To make it simple - I am tryign this on a brand new CentOS 7.1 
>>>>>>>> system with a clean/fresh install of FreeIPA 4.1.4 and yet it 
>>>>>>>> just refuses to work.
>>>>>>>>
>>>>>>>> I create a user -- configure them. They work just fine with a 
>>>>>>>> password. Then add a token. Sync with FreeOTP and that all 
>>>>>>>> works. Then going back to the web UI and do Sync OTP and it 
>>>>>>>> simply refuses to accept any values. And yet the same user can 
>>>>>>>> login to the regular web UI with their password.
>>>>>>>>
>>>>>>>> I have tried setting the user to both Password and OTP for auth 
>>>>>>>> methods. And also just OTP and nothing works.
>>>>>>>
>>>>>>> Please look in the logs to see what is going on.
>>>>>>> You would need to look at the KDC, http and DS logs on the 
>>>>>>> server to sort out what is going on.
>>>>>>>
>>>>>>> Do you change the password for the user first after creating him?
>>>>>>>
>>>>>>> Can you reproduce the problem with demo instance?
>>>>>>> http://www.freeipa.org/page/Demo
>>>>>>> If you can then we can take a look at the logs right away.
>>>>>>> Hints? Am I missing  a step?
>>>>>>>
>>>>>>> ~J
>>>>>>>
>>>>>> It appears to be the UI. If I go through the steps and let it 
>>>>>> "fail", I can still login using OTP to servers. I made the 
>>>>>> assumption that the error itself was not an error.. :-)
>>>>>>
>>>>>> ~J
>>>>>>
>>>>> I am not sure I get what you are saying. Do you still see the 
>>>>> problem or you misinterpreted the UI and now the problem is gone? 
>>>>> If you did is there any recommendation how to improve the UI not 
>>>>> to confuse people?
>>>>>
>>>> The problem exists -- this is what it shows:
>>>> HOWEVER, it is still WORKING. Meaning, even if you get this error, 
>>>> if you attempt to login with your FreeOTP token, it WORKS.
>>>>
>>>> ~J
>>>>
>>>> <mime-attachment.png>
>>>>
>>>>
>>>
>>> Does it give you this error when you use password or password and token?
>>> Can you please describe the flow of steps in more details?
>>> I start browser, go here, click here, enter this, etc.
>>>
>>> Are you using SSSD to login to servers? Is SSSD configured with IPA 
>>> provider or you configured it for LDAP manually. There is a 
>>> difference between LDAP and Kerberos authentication.
>>>
>>> May be the following article will help you to understand the 
>>> expectations:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp
>>>
>>>
>>>
>>> I suspect it is some combination of flags and protocols that is 
>>> confusing
>>
>> Simple. And my test made it simple.
>> Stand up new vm running fc21/freeipa.
>> Configure user.
>> Add password.
>> Add token.
>>
>> Login to the vm with the user created using password. Kerberos ticket 
>> assigned, all is well.
>>
>> Login to web interface with admin. Change user to OTP only.
>> Go to web UI and click sync OTP.
>> Enter username, password and 2 OTP sequences. Click sync. Error appears.
>>
>> Now, ssh to same vm using OTP username. Enter password + OTP value.
>> Login successful.
>
> I can reproduce this issue with demo instance.
> I will file a bug later today.
> I think it is a bug with sync.
> Which token do you use time based or event based?
TOTP...

Hmm, makes me wonder - with HOTP fail the same? Off to try it.

~J

PS - is there a way to sync a token from command line? I can't think of 
a way, but maybe...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150417/f3c899bc/attachment.htm>

More information about the Freeipa-users mailing list