<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Do HOTP tokens work fine ?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 7 June 2016 at 20:37, Winfried de Heiden <span dir="ltr"><<a href="mailto:wdh@dds.nl" target="_blank">wdh@dds.nl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <p><font face="Carlito">Hi all,</font></p> <p><font face="Carlito"><br> </font></p> <p><font face="Carlito">Yes I check that one also. The IPA-server is running ntp and is is sync. The FreeOTP app is running on my phone which is synced by network, all looks fine....</font></p> <p><font face="Carlito"><br> Forgot to mention; this IPA-server is running on Fedora ARM on a Bananapi. non-otp logins go well.</font></p> <p><font face="Carlito"><br> </font></p> <p><font face="Carlito">Winny<br> </font></p> <p><font face="Carlito"><br> </font></p> <p><font face="Carlito"></font><br> </p> <br> <div>Op 07-06-16 om 16:56 schreef Prashant Bapat:<br> </div><div><div class="h5"> <blockquote type="cite"> <div dir="ltr"> <div class="gmail_default">If this is TOTP (time based) you want to double check the time is properly set in both the server (NTP) and the device that is generating the OTP tokens. I have had issues with this with my users couple of times. </div> </div> <div class="gmail_extra"><br> <div class="gmail_quote">On 7 June 2016 at 19:43, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Tue, 07 Jun 2016, Winfried de Heiden wrote:<br> </span> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hi all,<span><br> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result.<br> </span></blockquote> Ok.<span><br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ<br> (6 etypes {18 17 16<br> 23 25 26}) <a href="http://192.168.1.251" rel="noreferrer" target="_blank">192.168.1.251</a>: NEEDED_PREAUTH:<br> <a href="mailto:otpuser@BLABLA.BLA" target="_blank">otpuser@BLABLA.BLA</a> for krbtgt/<br> <a href="mailto:BLABLA.BLA@BLABLA.BLA" target="_blank">BLABLA.BLA@BLABLA.BLA</a>, Additional pre-authentication<br> required<br> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing<br> down fd 12<br> Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth<br> (otp) verify<br> failure: Connection timed out<br> <br> I just cannot figure out what's going wrong. What is trying<br> to connect to<br> causing this timeout? (yep, I disabled firewalld for<br> this...)<br> </blockquote> </span> What is the output of systemctl status ipa-otpd.socket<br> ?<br> <br> if it is disabled, do<br> <br> systemctl enable ipa-otpd.socket<br> systemctl start ipa-otpd.socket <div> <div><br> <br> -- <br> / Alexander Bokovoy<br> <br> -- <br> Manage your subscription for the Freeipa-users mailing list:<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br> </div> </div> </blockquote> </div> <br> </div> </blockquote> <br> </div></div></div> </blockquote></div><br></div>