<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> The libverto used on RHEL 7.2 (itś working there) is v0.2.5-4 build date January 26 2014, so that's an older one. Is this more recent one causing the problems....? How to test? Winny <div class="moz-cite-prefix">Op 08-06-16 om 08:34 schreef Winfried de Heiden: </div> <blockquote cite="mid:d795f38a-aa40-e45e-07f8-35d4d0263937@dds.nl" type="cite"> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> Hi all, Well, the libverto is there some time allready (yep, it's running on a Bananapi!), doesn't feel like a recent update, so a <blockquote>Name : libverto Version : 0.2.6 Release : 5.fc23 Architecture: armv7hl Install Date: Thu Jan 1 01:08:24 1970 Group : Unspecified Size : 21896 License : MIT Signature : RSA/SHA256, Sun Jun 21 06:24:46 2015, Key ID 32474cf834ec9cba Source RPM : libverto-0.2.6-5.fc23.src.rpm Build Date : Wed Jun 17 20:37:05 2015 Build Host : arm04-builder19.arm.fedoraproject.org </blockquote> No, no previous build available... <blockquote>[root@ipa boot]# dnf downgrade libverto Last metadata expiration check: 0:10:21 ago on Wed Jun 8 08:19:53 2016. Package libverto of lowest version already installed, cannot downgrade it. Error: Nothing to do. </blockquote> My first guess is that you are hitting this bug: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089"><a class="moz-txt-link-freetext" href="https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089">https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089</a></a>9904e What to do about it...? Winny <div class="moz-cite-prefix">Op 07-06-16 om 19:15 schreef Nathaniel McCallum: </div> <blockquote cite="mid:1465319719.2595.7.camel@redhat.com" type="cite"> <pre wrap="">On Tue, 2016-06-07 at 19:42 +0300, Alexander Bokovoy wrote: </pre> <blockquote type="cite"> <pre wrap="">Adding Nathaniel to look into it. On Tue, 07 Jun 2016, Winfried de Heiden wrote: </pre> <blockquote type="cite"> <pre wrap="">Adn some more dubgging for you guys...: un 7 17:00:52 ipa systemd: Started ipa-otpd service (PID 5887/UID 0). Jun 7 17:00:52 ipa audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@ 51-5887- 0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 7 17:00:52 ipa systemd: Starting ipa-otpd service (PID 5887/UID 0)... Jun 7 17:00:52 ipa ipa-otpd: LDAP: ldapi://%2fvar%2frun%2fslapd- BLABLA- BLA.socket Jun 7 17:00:52 ipa ipa-otpd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: request received Jun 7 17:00:52 ipa ipa-otpd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: user query start Jun 7 17:00:52 ipa ipa-otpd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: user query end: uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla Jun 7 17:00:52 ipa ipa-otpd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: bind start: uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla Jun 7 17:00:52 ipa ipa-otpd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: bind end: success Jun 7 17:00:52 ipa ipa-otpd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a>: response sent: Access-Accept Jun 7 17:00:52 ipa ipa-otpd: stdio.c:073: Connection reset by peer: Error receiving packet Jun 7 17:00:52 ipa systemd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ipa-otpd@51-5887-0.service">ipa-otpd@51-5887-0.service</a>: Main process exited, code=exited, status=1/FAILURE Jun 7 17:00:52 ipa systemd: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ipa-otpd@51-5887-0.service">ipa-otpd@51-5887-0.service</a>: Unit entered failed state. Forgot to mention, I'm running FreeIPA on Fedora ARM on a Bananapi :) All other, non-OTP, login are OK. Winny </pre> </blockquote> </blockquote> <pre wrap="">That error is misleading. All that is happening is that ipa-otpd is closing down after krb5kdc closes the socket. </pre> <blockquote type="cite"> <blockquote type="cite"> <pre wrap="">Op 07-06-16 om 16:13 schreef Alexander Bokovoy: On Tue, 07 Jun 2016, Winfried de Heiden wrote: Hi all, I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. Ok. Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887] (info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.251: NEEDED_PREAUTH: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:otpuser@BLABLA.BLA">otpuser@BLABLA.BLA</a> for krbtgt/ <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:BLABLA.BLA@BLABLA.BLA">BLABLA.BLA@BLABLA.BLA</a>, Additional pre- authentication required Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887] (info): closing down fd 12 Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888] (info): preauth (otp) verify failure: Connection timed out I just cannot figure out what's going wrong. What is trying to connect to causing this timeout? (yep, I disabled firewalld for this...) What is the output of systemctl status ipa-otpd.socket ? if it is disabled, do systemctl enable ipa-otpd.socket systemctl start ipa-otpd.socket </pre> </blockquote> </blockquote> <pre wrap="">My first guess is that you are hitting this bug: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089">https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089</a> 9904e My second guess is that you should try a different libverto backend and see if the problem goes away. If so, please let me know which backend had problems. </pre> </blockquote> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>