[Freeipa-users] Why OTP not working

Andrey Dudin dudin.andrey at gmail.com
Tue May 16 19:51:52 UTC 2017 

Hello all.

I trying to use OTP auth in Freeipa but have some problems.

I have user *test:*

[root at ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: test at MYDOMAIN.COM
  Principal alias: test at MYDOMAIN.COM
  Email address: test at mydomain.com
  UID: 152200001
  GID: 152200001
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And his token:

[root at ipa-centos]# ipa otptoken-show 7fa47f65-dc72-486e-8dd4-6393c7e389bd
  Unique ID: 7fa47f65-dc72-486e-8dd4-6393c7e389bd
  Type: TOTP
  Owner: test
  Manager: test


Server with FreeIpa:

[root at ipa-centos]# ipa host-show ipa-centos.mydomain.com
  Host name: ipa-centos.mydomain.com
  Principal name: host/ipa-centos.mydomain.com at MYDOMAIN.COM
  Principal alias: host/ipa-centos.mydomain.com at MYDOMAIN.COM
  SSH public key fingerprint: %some fingerprints%
  Authentication Indicators: otp
  Password: False
  Member of host-groups: ipaservers
  Keytab: True
  Managed by: ipa-centos.mydomain.com


And service for freeipa http by default:

[root at ipa-centos]# ipa service-show http/ipa-centos.mydomain.com
  Principal name: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM
  Principal alias: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM
  Certificate: %cert%
  Subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  Serial Number: 9
  Serial Number (hex): 0x9
  Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  Not Before: Tue May 16 11:32:36 2017 UTC
  Not After: Fri May 17 11:32:36 2019 UTC
  Fingerprint (MD5): e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  Fingerprint (SHA1):
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  Authentication Indicators: otp
  Keytab: True
  Managed by: ipa-centos.mydomain.com


As u can see, all properties for OTP auth in Freeipa web interface are
applied, but I can login into web interface only using password, if I try
logging in with password+otptoken I have error.

What's wrong?

[root at ipa-centos]# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

[root at ipa-centos]# cat /etc/os-release

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170516/b0fbf108/attachment.htm>

More information about the Freeipa-users mailing list