Alexander Bokovoy wrote: > What does not yet work is end-to-end kinit without armoured ccache. > This also is the case for PAM-based logins through SSSD. This one is fixed now. There was a bug in SSSD's processing of a response from a krb5_child process in case FAST is activated -- SSS_OTP message was the last one returned and SSSD erroneously thought it is a malformed packet.
I now have 2FA logons working with PAM-based apps (including SSH) using following configuration in sssd.conf: ---------------------------------- [domain/`domain`] .... krb5_use_fast = try krb5_fast_principal = host/`hostname` .... ---------------------------------- Patch for https://fedorahosted.org/sssd/ticket/2186 is on the SSSD development list. -- / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel