[Freeipa-users] Ubuntu client 2FA not working
Jochen Hein
jochen at jochen.org
Thu Feb 16 17:04:05 UTC 2017
Tommy Nikjoo <tommy.nikjoo at armourcomms.com> writes:
> I'm having some issues with 2FA PAM config's on Ubuntu clients.
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol. Is anyone able to give an in site into how to get
> this working correctly?
You may need to fix /etc/pam.d/common-auth, so that only pam_sss get's
called for IPA users:
# here are the per-package modules (the "Primary" block)
auth [default=1 success=ok] pam_localuser.so
auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth [success=1 default=ignore] pam_sss.so forward_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
I'm running a 14.04 client with an older IPA client - there I have to
enter password+OTP in one string and it works perfect.
On my 16.10 Laptop I use IPA 4.3.2 against CentOS 7.3 server. That
client had problems with OTP users which were not obvious to me.
The system asked for first and second factor but would give me system
error 7. I think the following entry in /etc/krb5.conf helped:
[libdefaults]
...
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
...
Otherwise please enable the debug trace and review the logs. They are
really verbose and you need to check both client and server for errors.
There is hope - I run Ubuntu clients with OTP user (OTP is via
privacyidea/radius, but that shouldn't matter).
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list