On Mon, Oct 26, 2015 at 10:24:06AM -0700, Janelle wrote:
> Hello all...
> Seeing something very strange. With OTP enabled for all users - here is the
> configuration:
> Some hosts fully "enrolled" with IPA, and some are simply configured with
> authconfig to use LDAP backend for authentication.
> RANDOMLY   <---- Keyword here -- all systems use SSSD regardless of the
> authentication method. A user will be able to login with password+token, but
> the random part - sometimes JUST the password. Is this possible due to some
> odd caching issues with SSSD perhaps or ??? How might I research this? is
> there anything to look for in configs or logs?

I would assume that when just the password suffices, the client would be
offline (because when offline, we can only compare the first factor).

You can verify this with running klist -- that would show you if the TGT
was acquired when you logged in or by increasing pam_verbosity to tell
you when the login happened offline.

btw for testing, you can send SIGUSR1 and SIGUSR2 to trigger
online/offline transitions (see man sssd(8))

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to