<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Carlito">Hi all,</font><br>
<font face="Carlito"><br>
</font><br>
<font face="Carlito">Yep, I noticed that before, this service should
be running, I enabled it:<br>
<br>
</font><font face="Carlito">[root@ipa log]# systemctl status
ipa-otpd.socket<br>
* ipa-otpd.socket - ipa-otpd socket<br>
Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket;
enabled; vendor preset: disabled)<br>
Active: active (listening) since Tue 2016-06-07 13:55:58 CEST;
2h 18min ago<br>
Listen: /var/run/krb5kdc/DEFAULT.socket (Stream)<br>
Accepted: 39; Connected: 0<br>
Process: 6002 ExecStopPre=/usr/bin/unlink
/var/run/krb5kdc/DEFAULT.socket (code=exited, status=0/SUCCESS)<br>
<br>
Jun 07 13:55:58 ipa.blabla.bla systemd[1]: Listening on ipa-otpd
socket.<br>
Jun 07 13:55:58 ipa.blabla.bla systemd[1]: Starting ipa-otpd
socket.<br>
</font><br>
<font face="Carlito">some more debugging information:</font><br>
<font face="Carlito"><br>
</font><br>
<font face="Carlito">export KRB5_TRACE=/dev/stderr</font><br>
<font face="Carlito">kinit -T
KEYRING:persistent:10001:krb_ccache_5juXsff otpuser</font><br>
<font face="Carlito"><br>
</font><br>
<font face="Carlito">will give:</font><br>
<font face="Carlito">Enter OTP Token Value: <br>
[6698] 1465308806.678620: Preauth module otp (141) (real)
returned: 0/Success<br>
[6698] 1465308806.678713: Produced preauth for next request: 133,
142<br>
[6698] 1465308806.678771: Encoding request body and padata into
FAST request<br>
[6698] 1465308806.679291: Sending request (1095 bytes) to
BLABLA.BLA<br>
[6698] 1465308806.680399: Initiating TCP connection to stream
192.168.1.251:88<br>
[6698] 1465308806.681090: Sending TCP request to stream
192.168.1.251:88<br>
[6698] 1465308811.740101: Received answer (548 bytes) from stream
192.168.1.251:88<br>
[6698] 1465308811.740223: Terminating TCP connection to stream
192.168.1.251:88<br>
[6698] 1465308811.740774: Response was from master KDC<br>
[6698] 1465308811.740997: Received error from KDC:
-1765328360/Preauthentication failed<br>
[6698] 1465308811.741057: Decoding FAST response<br>
[6698] 1465308811.741567: Preauth tryagain input types: 136, 141,
133, 137<br>
kinit: Preauthentication failed while getting initial credentials<br>
</font><br>
<font face="Carlito">Winny<br>
</font><br>
<br>
<br>
<div class="moz-cite-prefix">Op 07-06-16 om 16:13 schreef Alexander
Bokovoy:<br>
</div>
<blockquote cite="mid:20160607141344.a55hvf64n6k3rbht@redhat.com"
type="cite">On Tue, 07 Jun 2016, Winfried de Heiden wrote:
<br>
<blockquote type="cite">Hi all,
<br>
I tried the FreeIPA webUI, ssh and "su - otpuser", all the same
result.
<br>
</blockquote>
Ok.
<br>
<br>
<blockquote type="cite"> Jun 07 14:44:37 ipa.blabla.bla
krb5kdc[5887](info): AS_REQ
<br>
(6 etypes {18 17 16
<br>
23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
<br>
<a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a> for krbtgt/
<br>
<a class="moz-txt-link-abbreviated" href="mailto:BLABLA.BLA@BLABLA.BLA">BLABLA.BLA@BLABLA.BLA</a>, Additional pre-authentication
<br>
required
<br>
Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info):
closing
<br>
down fd 12
<br>
Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info):
preauth
<br>
(otp) verify
<br>
failure: Connection timed out
<br>
<br>
I just cannot figure out what's going wrong. What is
trying
<br>
to connect to
<br>
causing this timeout? (yep, I disabled firewalld for
<br>
this...)
<br>
</blockquote>
What is the output of systemctl status ipa-otpd.socket
<br>
?
<br>
<br>
if it is disabled, do
<br>
<br>
systemctl enable ipa-otpd.socket
<br>
systemctl start ipa-otpd.socket
<br>
<br>
</blockquote>
<br>
</body>
</html>