On Fri, 2015-04-17 at 20:21 -0700, Janelle wrote: > On 4/17/15 5:59 PM, Dmitri Pal wrote: > > On 04/17/2015 08:07 PM, Janelle wrote: > > > > > > > > > > > > > > > On Apr 17, 2015, at 16:36, Dmitri Pal <d...@redhat.com> wrote: > > > > > > > On 04/17/2015 04:52 PM, Janelle wrote: > > > > > On 4/17/15 1:19 PM, Dmitri Pal wrote: > > > > > > On 04/17/2015 01:20 PM, Janelle wrote: > > > > > > > On 4/17/15 9:53 AM, Dmitri Pal wrote: > > > > > > > > On 04/17/2015 11:16 AM, Janelle wrote: > > > > > > > > > Hi, > > > > > > > > > > > > > > > > > > Is anyone else having issues with OTP since > > > > > > > > > upgrading? For the life of me I can't get it to > > > > > > > > > accept "Sync" for the tokens. No matter what is put > > > > > > > > > in, it just keeps saying the username, password or > > > > > > > > > tokens entered are incorrect. > > > > > > > > > > > > > > > > > > To make it simple - I am tryign this on a brand new > > > > > > > > > CentOS 7.1 system with a clean/fresh install of > > > > > > > > > FreeIPA 4.1.4 and yet it just refuses to work. > > > > > > > > > > > > > > > > > > I create a user -- configure them. They work just > > > > > > > > > fine with a password. Then add a token. Sync with > > > > > > > > > FreeOTP and that all works. Then going back to the > > > > > > > > > web UI and do Sync OTP and it simply refuses to > > > > > > > > > accept any values. And yet the same user can login > > > > > > > > > to the regular web UI with their password. > > > > > > > > > > > > > > > > > > I have tried setting the user to both Password and > > > > > > > > > OTP for auth methods. And also just OTP and nothing > > > > > > > > > works. > > > > > > > > Please look in the logs to see what is going on. > > > > > > > > You would need to look at the KDC, http and DS logs on > > > > > > > > the server to sort out what is going on. > > > > > > > > > > > > > > > > Do you change the password for the user first after > > > > > > > > creating him? > > > > > > > > > > > > > > > > Can you reproduce the problem with demo instance? > > > > > > > > http://www.freeipa.org/page/Demo > > > > > > > > If you can then we can take a look at the logs right > > > > > > > > away. > > > > > > > > Hints? Am I missing a step? > > > > > > > > > > > > > > > > ~J > > > > > > > > > > > > > > > It appears to be the UI. If I go through the steps and > > > > > > > let it "fail", I can still login using OTP to servers. I > > > > > > > made the assumption that the error itself was not an > > > > > > > error.. :-) > > > > > > > > > > > > > > ~J > > > > > > > > > > > > > I am not sure I get what you are saying. Do you still see > > > > > > the problem or you misinterpreted the UI and now the > > > > > > problem is gone? If you did is there any recommendation > > > > > > how to improve the UI not to confuse people? > > > > > > > > > > > The problem exists -- this is what it shows: > > > > > HOWEVER, it is still WORKING. Meaning, even if you get this > > > > > error, if you attempt to login with your FreeOTP token, it > > > > > WORKS. > > > > > > > > > > ~J > > > > > > > > > > <mime-attachment.png> > > > > > > > > > > > > > > Does it give you this error when you use password or password > > > > and token? > > > > Can you please describe the flow of steps in more details? > > > > I start browser, go here, click here, enter this, etc. > > > > > > > > Are you using SSSD to login to servers? Is SSSD configured > > > > with IPA provider or you configured it for LDAP manually. > > > > There is a difference between LDAP and Kerberos authentication. > > > > > > > > May be the following article will help you to understand the > > > > expectations: > > > > https://access.redhat.com/documentation/en > > > > -US/Red_Hat_Enterprise_Linux/7/html/System > > > > -Level_Authentication_Guide/authconfig-addl-auth.html#enable > > > > -otp > > > > > > > > > > > > > > > Simple. And my test made it simple. > > > Stand up new vm running fc21/freeipa. > > > Configure user. > > > Add password. > > > Add token. > > > > > > Login to the vm with the user created using password. Kerberos > > > ticket assigned, all is well. > > > > > > Login to web interface with admin. Change user to OTP only. > > > Go to web UI and click sync OTP. > > > Enter username, password and 2 OTP sequences. Click sync. Error > > > appears. > > > > > > Now, ssh to same vm using OTP username. Enter password + OTP > > > value. > > > Login successful. > > I can reproduce this issue with demo instance. > > I will file a bug later today. > > I think it is a bug with sync. > > Which token do you use time based or event based? > TOTP... > > Hmm, makes me wonder - with HOTP fail the same? Off to try it.
This should just affect TOTP. I have posted a patch that should fix this problem. Are you able to test it? https://www.redhat.com/archives/freeipa-devel/2015-April/msg00282.html > ~J > > PS - is there a way to sync a token from command line? I can't think > of a way, but maybe... ipa otptoken-sync Nathaniel -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project