[Freeipa-users] 4.1.4 and OTP
Janelle
janellenicole80 at gmail.com
Tue Apr 28 15:26:23 UTC 2015
On 4/28/15 6:44 AM, Nathaniel McCallum wrote:
> On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote:
>> On 4/17/15 5:59 PM, Dmitri Pal wrote:
>>> On 04/17/2015 08:07 PM, Janelle wrote:
>>>>
>>>>
>>>>
>>>> On Apr 17, 2015, at 16:36, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>>> On 04/17/2015 04:52 PM, Janelle wrote:
>>>>>> On 4/17/15 1:19 PM, Dmitri Pal wrote:
>>>>>>> On 04/17/2015 01:20 PM, Janelle wrote:
>>>>>>>> On 4/17/15 9:53 AM, Dmitri Pal wrote:
>>>>>>>>> On 04/17/2015 11:16 AM, Janelle wrote:
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> Is anyone else having issues with OTP since
>>>>>>>>>> upgrading? For the life of me I can't get it to
>>>>>>>>>> accept "Sync" for the tokens. No matter what is put
>>>>>>>>>> in, it just keeps saying the username, password or
>>>>>>>>>> tokens entered are incorrect.
>>>>>>>>>>
>>>>>>>>>> To make it simple - I am tryign this on a brand new
>>>>>>>>>> CentOS 7.1 system with a clean/fresh install of
>>>>>>>>>> FreeIPA 4.1.4 and yet it just refuses to work.
>>>>>>>>>>
>>>>>>>>>> I create a user -- configure them. They work just
>>>>>>>>>> fine with a password. Then add a token. Sync with
>>>>>>>>>> FreeOTP and that all works. Then going back to the
>>>>>>>>>> web UI and do Sync OTP and it simply refuses to
>>>>>>>>>> accept any values. And yet the same user can login
>>>>>>>>>> to the regular web UI with their password.
>>>>>>>>>>
>>>>>>>>>> I have tried setting the user to both Password and
>>>>>>>>>> OTP for auth methods. And also just OTP and nothing
>>>>>>>>>> works.
>>>>>>>>> Please look in the logs to see what is going on.
>>>>>>>>> You would need to look at the KDC, http and DS logs on
>>>>>>>>> the server to sort out what is going on.
>>>>>>>>>
>>>>>>>>> Do you change the password for the user first after
>>>>>>>>> creating him?
>>>>>>>>>
>>>>>>>>> Can you reproduce the problem with demo instance?
>>>>>>>>> http://www.freeipa.org/page/Demo
>>>>>>>>> If you can then we can take a look at the logs right
>>>>>>>>> away.
>>>>>>>>> Hints? Am I missing a step?
>>>>>>>>>
>>>>>>>>> ~J
>>>>>>>>>
>>>>>>>> It appears to be the UI. If I go through the steps and
>>>>>>>> let it "fail", I can still login using OTP to servers. I
>>>>>>>> made the assumption that the error itself was not an
>>>>>>>> error.. :-)
>>>>>>>>
>>>>>>>> ~J
>>>>>>>>
>>>>>>> I am not sure I get what you are saying. Do you still see
>>>>>>> the problem or you misinterpreted the UI and now the
>>>>>>> problem is gone? If you did is there any recommendation
>>>>>>> how to improve the UI not to confuse people?
>>>>>>>
>>>>>> The problem exists -- this is what it shows:
>>>>>> HOWEVER, it is still WORKING. Meaning, even if you get this
>>>>>> error, if you attempt to login with your FreeOTP token, it
>>>>>> WORKS.
>>>>>>
>>>>>> ~J
>>>>>>
>>>>>> <mime-attachment.png>
>>>>>>
>>>>>>
>>>>> Does it give you this error when you use password or password
>>>>> and token?
>>>>> Can you please describe the flow of steps in more details?
>>>>> I start browser, go here, click here, enter this, etc.
>>>>>
>>>>> Are you using SSSD to login to servers? Is SSSD configured
>>>>> with IPA provider or you configured it for LDAP manually.
>>>>> There is a difference between LDAP and Kerberos authentication.
>>>>>
>>>>> May be the following article will help you to understand the
>>>>> expectations:
>>>>> https://access.redhat.com/documentation/en
>>>>> -US/Red_Hat_Enterprise_Linux/7/html/System
>>>>> -Level_Authentication_Guide/authconfig-addl-auth.html#enable
>>>>> -otp
>>>>>
>>>>>
>>>>>
>>>> Simple. And my test made it simple.
>>>> Stand up new vm running fc21/freeipa.
>>>> Configure user.
>>>> Add password.
>>>> Add token.
>>>>
>>>> Login to the vm with the user created using password. Kerberos
>>>> ticket assigned, all is well.
>>>>
>>>> Login to web interface with admin. Change user to OTP only.
>>>> Go to web UI and click sync OTP.
>>>> Enter username, password and 2 OTP sequences. Click sync. Error
>>>> appears.
>>>>
>>>> Now, ssh to same vm using OTP username. Enter password + OTP
>>>> value.
>>>> Login successful.
>>> I can reproduce this issue with demo instance.
>>> I will file a bug later today.
>>> I think it is a bug with sync.
>>> Which token do you use time based or event based?
>> TOTP...
>>
>> Hmm, makes me wonder - with HOTP fail the same? Off to try it.
> This should just affect TOTP. I have posted a patch that should fix
> this problem. Are you able to test it?
>
> https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html
>
>
I shall give it a try and let you know.
~J
More information about the Freeipa-users
mailing list