<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/17/2015 08:07 PM, Janelle wrote:<br>
</div>
<blockquote
cite="mid:8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div><br>
<br>
<br>
</div>
<div><br>
On Apr 17, 2015, at 16:36, Dmitri Pal <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">On 04/17/2015 04:52 PM, Janelle
wrote:<br>
</div>
<blockquote cite="mid:55317279.3010107@gmail.com" type="cite">
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
On 4/17/15 1:19 PM, Dmitri Pal wrote:<br>
<blockquote cite="mid:55316ABF.1000606@redhat.com" type="cite">On
04/17/2015 01:20 PM, Janelle wrote: <br>
<blockquote type="cite">On 4/17/15 9:53 AM, Dmitri Pal
wrote: <br>
<blockquote type="cite">On 04/17/2015 11:16 AM, Janelle
wrote: <br>
<blockquote type="cite">Hi, <br>
<br>
Is anyone else having issues with OTP since upgrading?
For the life of me I can't get it to accept "Sync" for
the tokens. No matter what is put in, it just keeps
saying the username, password or tokens entered are
incorrect. <br>
<br>
To make it simple - I am tryign this on a brand new
CentOS 7.1 system with a clean/fresh install of
FreeIPA 4.1.4 and yet it just refuses to work. <br>
<br>
I create a user -- configure them. They work just fine
with a password. Then add a token. Sync with FreeOTP
and that all works. Then going back to the web UI and
do Sync OTP and it simply refuses to accept any
values. And yet the same user can login to the regular
web UI with their password. <br>
<br>
I have tried setting the user to both Password and OTP
for auth methods. And also just OTP and nothing works.
<br>
</blockquote>
<br>
Please look in the logs to see what is going on. <br>
You would need to look at the KDC, http and DS logs on
the server to sort out what is going on. <br>
<br>
Do you change the password for the user first after
creating him? <br>
<br>
Can you reproduce the problem with demo instance? <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.freeipa.org/page/Demo">http://www.freeipa.org/page/Demo</a>
<br>
If you can then we can take a look at the logs right
away. <br>
Hints? Am I missing a step? <br>
<br>
~J <br>
<br>
</blockquote>
It appears to be the UI. If I go through the steps and let
it "fail", I can still login using OTP to servers. I made
the assumption that the error itself was not an error..
:-) <br>
<br>
~J <br>
<br>
</blockquote>
I am not sure I get what you are saying. Do you still see
the problem or you misinterpreted the UI and now the problem
is gone? If you did is there any recommendation how to
improve the UI not to confuse people? <br>
<br>
</blockquote>
The problem exists -- this is what it shows:<br>
HOWEVER, it is still WORKING. Meaning, even if you get this
error, if you attempt to login with your FreeOTP token, it
WORKS.<br>
<br>
~J<br>
<br>
<mime-attachment.png><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Does it give you this error when you use password or password
and token?<br>
Can you please describe the flow of steps in more details?<br>
I start browser, go here, click here, enter this, etc.<br>
<br>
Are you using SSSD to login to servers? Is SSSD configured with
IPA provider or you configured it for LDAP manually. There is a
difference between LDAP and Kerberos authentication.<br>
<br>
May be the following article will help you to understand the
expectations:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/authconfig-addl-auth.html#enable-otp</a><br>
<br>
<br>
<br>
I suspect it is some combination of flags and protocols that is
confusing</blockquote>
<br>
<div>Simple. And my test made it simple.</div>
<div>Stand up new vm running fc21/freeipa.</div>
<div>Configure user.</div>
<div>Add password.</div>
<div>Add token.</div>
<div><br>
</div>
<div>Login to the vm with the user created using password.
Kerberos ticket assigned, all is well.<br>
</div>
</blockquote>
<blockquote
cite="mid:8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com"
type="cite">
<div><br>
</div>
<div>Login to web interface with admin. Change user to OTP only.</div>
<div>Go to web UI and click sync OTP. </div>
<div>Enter username, password and 2 OTP sequences. Click sync.
Error appears.</div>
<div><br>
</div>
<div>Now, ssh to same vm using OTP username. Enter password + OTP
value.</div>
<div>Login successful.</div>
</blockquote>
<br>
I can reproduce this issue with demo instance.<br>
I will file a bug later today.<br>
I think it is a bug with sync.<br>
Which token do you use time based or event based?<br>
<br>
<blockquote
cite="mid:8898FB62-D73E-4D51-BE4B-2C0F6A903970@gmail.com"
type="cite">
<div><br>
</div>
<div>Logout.</div>
<div>Repeat, but try JUST the password, and it fails.</div>
<div><br>
</div>
<div>???</div>
<div>~J</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>