Hello all. I trying to use OTP auth in Freeipa but have some problems.
I have user *test:* [root@ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: t...@mydomain.com Principal alias: t...@mydomain.com Email address: t...@mydomain.com UID: 152200001 GID: 152200001 Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True And his token: [root@ipa-centos]# ipa otptoken-show 7fa47f65-dc72-486e-8dd4-6393c7e389bd Unique ID: 7fa47f65-dc72-486e-8dd4-6393c7e389bd Type: TOTP Owner: test Manager: test Server with FreeIpa: [root@ipa-centos]# ipa host-show ipa-centos.mydomain.com Host name: ipa-centos.mydomain.com Principal name: host/ipa-centos.mydomain....@mydomain.com Principal alias: host/ipa-centos.mydomain....@mydomain.com SSH public key fingerprint: %some fingerprints% Authentication Indicators: otp Password: False Member of host-groups: ipaservers Keytab: True Managed by: ipa-centos.mydomain.com And service for freeipa http by default: [root@ipa-centos]# ipa service-show http/ipa-centos.mydomain.com Principal name: HTTP/ipa-centos.mydomain....@mydomain.com Principal alias: HTTP/ipa-centos.mydomain....@mydomain.com Certificate: %cert% Subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM Serial Number: 9 Serial Number (hex): 0x9 Issuer: CN=Certificate Authority,O=MYDOMAIN.COM Not Before: Tue May 16 11:32:36 2017 UTC Not After: Fri May 17 11:32:36 2019 UTC Fingerprint (MD5): e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1 Fingerprint (SHA1): de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04 Authentication Indicators: otp Keytab: True Managed by: ipa-centos.mydomain.com As u can see, all properties for OTP auth in Freeipa web interface are applied, but I can login into web interface only using password, if I try logging in with password+otptoken I have error. What's wrong? [root@ipa-centos]# ipa --version VERSION: 4.4.0, API_VERSION: 2.213 [root@ipa-centos]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project