<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Carlito">Hi all,</font><br>
<font face="Carlito"><br>
</font><br>
<font face="Carlito">Well, the libverto is there some time allready
(yep, it's running on a Bananapi!), doesn't feel like a recent
update, so a <br>
</font><br>
<br>
<blockquote><font face="Carlito">Name : libverto</font><br>
<font face="Carlito">Version : 0.2.6</font><br>
<font face="Carlito">Release : 5.fc23</font><br>
<font face="Carlito">Architecture: armv7hl</font><br>
<font face="Carlito">Install Date: Thu Jan 1 01:08:24 1970</font><br>
<font face="Carlito">Group : Unspecified</font><br>
<font face="Carlito">Size : 21896</font><br>
<font face="Carlito">License : MIT</font><br>
<font face="Carlito">Signature : RSA/SHA256, Sun Jun 21 06:24:46
2015, Key ID 32474cf834ec9cba</font><br>
<font face="Carlito">Source RPM : libverto-0.2.6-5.fc23.src.rpm</font><br>
<font face="Carlito">Build Date : Wed Jun 17 20:37:05 2015</font><br>
<font face="Carlito">Build Host :
arm04-builder19.arm.fedoraproject.org</font><br>
</blockquote>
<br>
<font face="Carlito">No, no previous build available...<br>
</font><br>
<blockquote><font face="Carlito">[root@ipa boot]# dnf downgrade
libverto</font><br>
<font face="Carlito">Last metadata expiration check: 0:10:21 ago
on Wed Jun 8 08:19:53 2016.</font><br>
<font face="Carlito">Package libverto of lowest version already
installed, cannot downgrade it.</font><br>
<font face="Carlito">Error: Nothing to do.</font><br>
</blockquote>
<br>
<br>
<i>My first guess is that you are hitting this bug:
</i><i><a class="moz-txt-link-freetext"
href="https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089">https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089</a></i><i>9904e</i><br>
<font face="Carlito"></font><br>
What to do about it...? <br>
<br>
<br>
Winny<br>
<br>
<div class="moz-cite-prefix">Op 07-06-16 om 19:15 schreef Nathaniel
McCallum:<br>
</div>
<blockquote cite="mid:1465319719.2595.7.camel@redhat.com"
type="cite">
<pre wrap="">On Tue, 2016-06-07 at 19:42 +0300, Alexander Bokovoy wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Adding Nathaniel to look into it.
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Adn some more dubgging for you guys...:
un 7 17:00:52 ipa systemd: Started ipa-otpd service (PID 5887/UID
0).
Jun 7 17:00:52 ipa audit: SERVICE_START pid=1 uid=0
auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@
51-5887-
0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=?
res=success'
Jun 7 17:00:52 ipa systemd: Starting ipa-otpd service (PID
5887/UID 0)...
Jun 7 17:00:52 ipa ipa-otpd: LDAP: ldapi://%2fvar%2frun%2fslapd-
BLABLA-
BLA.socket
Jun 7 17:00:52 ipa ipa-otpd: <a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: request received
Jun 7 17:00:52 ipa ipa-otpd: <a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: user query start
Jun 7 17:00:52 ipa ipa-otpd: <a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: user query end:
uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla
Jun 7 17:00:52 ipa ipa-otpd: <a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: bind start:
uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla
Jun 7 17:00:52 ipa ipa-otpd: <a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: bind end: success
Jun 7 17:00:52 ipa ipa-otpd: <a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: response sent:
Access-Accept
Jun 7 17:00:52 ipa ipa-otpd: stdio.c:073: Connection reset by
peer: Error
receiving packet
Jun 7 17:00:52 ipa systemd: <a class="moz-txt-link-abbreviated" href="mailto:ipa-otpd@51-5887-0.service">ipa-otpd@51-5887-0.service</a>: Main
process exited,
code=exited, status=1/FAILURE
Jun 7 17:00:52 ipa systemd: <a class="moz-txt-link-abbreviated" href="mailto:ipa-otpd@51-5887-0.service">ipa-otpd@51-5887-0.service</a>: Unit
entered failed
state.
Forgot to mention, I'm running FreeIPA on Fedora ARM on a Bananapi
:) All
other, non-OTP, login are OK.
Winny
</pre>
</blockquote>
</blockquote>
<pre wrap="">
That error is misleading. All that is happening is that ipa-otpd is
closing down after krb5kdc closes the socket.
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Op 07-06-16 om 16:13 schreef Alexander Bokovoy:
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
I tried the FreeIPA webUI, ssh and "su - otpuser", all the
same result.
Ok.
Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887]
(info): AS_REQ
(6 etypes {18 17 16
23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
<a class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a> for krbtgt/
<a class="moz-txt-link-abbreviated" href="mailto:BLABLA.BLA@BLABLA.BLA">BLABLA.BLA@BLABLA.BLA</a>, Additional pre-
authentication
required
Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887]
(info): closing
down fd 12
Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888]
(info): preauth
(otp) verify
failure: Connection timed out
I just cannot figure out what's going wrong. What
is trying
to connect to
causing this timeout? (yep, I disabled firewalld
for
this...)
What is the output of systemctl status ipa-otpd.socket
?
if it is disabled, do
systemctl enable ipa-otpd.socket
systemctl start ipa-otpd.socket
</pre>
</blockquote>
</blockquote>
<pre wrap="">
My first guess is that you are hitting this bug:
<a class="moz-txt-link-freetext" href="https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089">https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089</a>
9904e
My second guess is that you should try a different libverto backend and
see if the problem goes away. If so, please let me know which backend
had problems.
</pre>
</blockquote>
<br>
</body>
</html>