<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Carlito">Hi all,</font></p>
<p><font face="Carlito"><br>
</font></p>
<p><font face="Carlito">Yes I check that one also. The IPA-server is
running ntp and is is sync. The FreeOTP app is running on my
phone which is synced by network, all looks fine....</font></p>
<p><font face="Carlito"><br>
Forgot to mention; this IPA-server is running on Fedora ARM on a
Bananapi. non-otp logins go well.</font></p>
<p><font face="Carlito"><br>
</font></p>
<p><font face="Carlito">Winny<br>
</font></p>
<p><font face="Carlito"><br>
</font></p>
<p><font face="Carlito"></font><br>
</p>
<br>
<div class="moz-cite-prefix">Op 07-06-16 om 16:56 schreef Prashant
Bapat:<br>
</div>
<blockquote
cite="mid:CAN9aUrgJ4SRvcvKPiCM1V77P_WoFN72qOoPvhjzm6rKSXzHxHA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:'trebuchet
ms',sans-serif">If this is TOTP (time based) you want to
double check the time is properly set in both the server (NTP)
and the device that is generating the OTP tokens. I have had
issues with this with my users couple of times. </div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 7 June 2016 at 19:43, Alexander
Bokovoy <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On Tue, 07 Jun 2016, Winfried de Heiden wrote:<br>
</span>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<span class=""><br>
I tried the FreeIPA webUI, ssh and "su - otpuser", all
the same result.<br>
</span></blockquote>
Ok.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Jun 07 14:44:37 ipa.blabla.bla
krb5kdc[5887](info): AS_REQ<br>
(6 etypes {18 17 16<br>
23 25 26}) <a moz-do-not-send="true"
href="http://192.168.1.251" rel="noreferrer"
target="_blank">192.168.1.251</a>: NEEDED_PREAUTH:<br>
<a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a> for krbtgt/<br>
<a class="moz-txt-link-abbreviated" href="mailto:BLABLA.BLA@BLABLA.BLA">BLABLA.BLA@BLABLA.BLA</a>, Additional
pre-authentication<br>
required<br>
Jun 07 14:44:37 ipa.blabla.bla
krb5kdc[5887](info): closing<br>
down fd 12<br>
Jun 07 14:44:42 ipa.blabla.bla
krb5kdc[5888](info): preauth<br>
(otp) verify<br>
failure: Connection timed out<br>
<br>
I just cannot figure out what's going wrong.
What is trying<br>
to connect to<br>
causing this timeout? (yep, I disabled
firewalld for<br>
this...)<br>
</blockquote>
</span>
What is the output of systemctl status ipa-otpd.socket<br>
?<br>
<br>
if it is disabled, do<br>
<br>
systemctl enable ipa-otpd.socket<br>
systemctl start ipa-otpd.socket
<div class="HOEnZb">
<div class="h5"><br>
<br>
-- <br>
/ Alexander Bokovoy<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing
list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true"
href="http://freeipa.org" rel="noreferrer"
target="_blank">http://freeipa.org</a> for more info
on the project<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>