On Mon, 2016-02-29 at 16:49 +0000, Alessandro De Maria wrote: > Of course, > > could you point me to the logs you would be interested in?
Probably the kdc logs, I am not sure we directly log from ipa-otpd, but you could take a look at the journal/syslog too ? Simo. > Regards > Alessandro > > On 29 February 2016 at 05:44, Simo Sorce <s...@redhat.com> wrote: > > > On Mon, 2016-02-29 at 00:11 +0000, Alessandro De Maria wrote: > > > Solved. > > > This turned out to be the ipa-otp process stuck on one of the 2 servers. > > > The VPN requests where being sent to the other server which was working > > fine > > > > > > a simple restart of ipa fixed it. > > > > Do you have any logs that show any error from the ipa-otpd process > > It would be nice to fix any issue it may have. > > > > Simo. > > > > > Regards > > > > > > On 28 February 2016 at 23:17, Alessandro De Maria < > > > alessandro.dema...@gmail.com> wrote: > > > > > > > Hello, > > > > > > > > since I upgraded to 4.2.0 on Centos, OTPs do not seem to work anymore. > > > > Name : ipa-server > > > > Version : 4.2.0 > > > > Release : 15.el7_2.6 > > > > > > > > The error I see in the > > > > Feb 28 23:01:40 id1 krb5kdc[2894](info): AS_REQ (6 etypes {18 17 16 23 > > 25 > > > > 26}) 10.0.1.10: NEEDED_PREAUTH: alessan...@xx.com for krbtgt/ > > xx....@xx.com, > > > > Additional pre-authentication required > > > > Feb 28 23:01:41 id1.XX.com krb5kdc[2896](info): AS_REQ (6 etypes {18 > > 17 > > > > 16 23 25 26}) 10.0.1.10: PREAUTH_FAILED: alessan...@xx.com for krbtgt/ > > > > xx....@xx.com, Incorrect password in encrypted challenge > > > > > > > > I tried syncing the OTP and also creating a new one. > > > > Strangely enough I can connect OK with the VPN supplying password + > > OTP, > > > > but OTP is not working on both freeipa gui and when issuing sudo. > > > > > > > > Could someone help me understand what is going on? > > > > > > > > Regards > > > > Alessandro > > > > > > > > > > > > -- > > > > Alessandro De Maria > > > > alessandro.dema...@gmail.com > > > > > > > > > > > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > > > > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project