I am testing a simple setup with FreeIPA 4.0.1 server and a centos6.5 stock "ipa-client" package and I can get the regular password to work, but not otp login (otp login works in web ui).
As I understood this, kinit is not expected to work (requires FAST) but PAM (which uses sssd, which supposed to supports/configure FAST by default) Indeed the kinit fails with "Generic preauthentication failure while getting initial credentials" but PAM/SSSD does not seem to work either. This is a brand new test domain with allow-all HBAC intact, so I do not think that is the issue I did not dive into this yet, but before I waste too much time I wanted to ask if centos 6.5 default ipa client expected to work with 2FA or not. Thanks -M
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project