Hello the List,


A couple of new things to this problem, when a user has an expired password
and a valid OTP token, the password reset process is broken on all machines
at the ssh prompt. Even the ones that do not require 2FA.


Feedback so far form Sumit indicates this is incorrect behaviour.


As an attempt to get around this, I've tried adding a permission to the
helpdesk role that would allow them to manage OTP tokens. I'll submit
another thread on that.






From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose <sb...@redhat.com>
Cc: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>; 'Sumit
Bose' <sb...@redhat.com>
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP


Hi Sumit,


I sent those to you directly as I wasn't comfortable posting them to the






Get Outlook for iOS <https://aka.ms/o0ukef> 


From: Sumit Bose <sb...@redhat.com <mailto:sb...@redhat.com> >
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP


On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
> Here is /etc/pam.d/password-auth I missed that it was an include, an that
you wanted it too, again it's as installed bt CentOS 7.4 and

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to