<div dir="ltr">Of course, <div><br></div><div>could you point me to the logs you would be interested in?</div><div><br></div><div>Regards</div><div>Alessandro</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 29 February 2016 at 05:44, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, 2016-02-29 at 00:11 +0000, Alessandro De Maria wrote:<br> > Solved.<br> > This turned out to be the ipa-otp process stuck on one of the 2 servers.<br> > The VPN requests where being sent to the other server which was working fine<br> ><br> > a simple restart of ipa fixed it.<br> <br> </span>Do you have any logs that show any error from the ipa-otpd process<br> It would be nice to fix any issue it may have.<br> <br> Simo.<br> <div><div class="h5"><br> > Regards<br> ><br> > On 28 February 2016 at 23:17, Alessandro De Maria <<br> > <a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a>> wrote:<br> ><br> > > Hello,<br> > ><br> > > since I upgraded to 4.2.0 on Centos, OTPs do not seem to work anymore.<br> > > Name : ipa-server<br> > > Version : 4.2.0<br> > > Release : 15.el7_2.6<br> > ><br> > > The error I see in the<br> > > Feb 28 23:01:40 id1 krb5kdc[2894](info): AS_REQ (6 etypes {18 17 16 23 25<br> > > 26}) <a href="http://10.0.1.10" rel="noreferrer" target="_blank">10.0.1.10</a>: NEEDED_PREAUTH: <a href="mailto:alessandro@XX.COM">alessandro@XX.COM</a> for krbtgt/<a href="mailto:XX.COM@XX.COM">XX.COM@XX.COM</a>,<br> > > Additional pre-authentication required<br> > > Feb 28 23:01:41 <a href="http://id1.XX.com" rel="noreferrer" target="_blank">id1.XX.com</a> krb5kdc[2896](info): AS_REQ (6 etypes {18 17<br> > > 16 23 25 26}) <a href="http://10.0.1.10" rel="noreferrer" target="_blank">10.0.1.10</a>: PREAUTH_FAILED: <a href="mailto:alessandro@XX.COM">alessandro@XX.COM</a> for krbtgt/<br> > > <a href="mailto:XX.COM@XX.COM">XX.COM@XX.COM</a>, Incorrect password in encrypted challenge<br> > ><br> > > I tried syncing the OTP and also creating a new one.<br> > > Strangely enough I can connect OK with the VPN supplying password + OTP,<br> > > but OTP is not working on both freeipa gui and when issuing sudo.<br> > ><br> > > Could someone help me understand what is going on?<br> > ><br> > > Regards<br> > > Alessandro<br> > ><br> > ><br> > > --<br> > > Alessandro De Maria<br> > > <a href="mailto:alessandro.demaria@gmail.com">alessandro.demaria@gmail.com</a><br> > ><br> ><br> ><br> ><br> > --<br> </div></div>> Manage your subscription for the Freeipa-users mailing list:<br> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> > Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> <span class="HOEnZb"><font color="#888888"><br> <br> --<br> Simo Sorce * Red Hat, Inc * New York<br> <br> </font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Alessandro De Maria<br><a href="mailto:alessandro.demaria@gmail.com" target="_blank">alessandro.demaria@gmail.com</a></div> </div>