Hi all,

Yep, I noticed that before, this service should be running, I enabled it:

[root@ipa log]# systemctl status ipa-otpd.socket
* ipa-otpd.socket - ipa-otpd socket
   Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; enabled; vendor preset: disabled)
   Active: active (listening) since Tue 2016-06-07 13:55:58 CEST; 2h 18min ago
   Listen: /var/run/krb5kdc/DEFAULT.socket (Stream)
 Accepted: 39; Connected: 0
  Process: 6002 ExecStopPre=/usr/bin/unlink /var/run/krb5kdc/DEFAULT.socket (code=exited, status=0/SUCCESS)

Jun 07 13:55:58 ipa.blabla.bla systemd[1]: Listening on ipa-otpd socket.
Jun 07 13:55:58 ipa.blabla.bla systemd[1]: Starting ipa-otpd socket.

some more debugging information:

export KRB5_TRACE=/dev/stderr
kinit -T KEYRING:persistent:10001:krb_ccache_5juXsff otpuser

will give:
Enter OTP Token Value:
[6698] 1465308806.678620: Preauth module otp (141) (real) returned: 0/Success
[6698] 1465308806.678713: Produced preauth for next request: 133, 142
[6698] 1465308806.678771: Encoding request body and padata into FAST request
[6698] 1465308806.679291: Sending request (1095 bytes) to BLABLA.BLA
[6698] 1465308806.680399: Initiating TCP connection to stream
[6698] 1465308806.681090: Sending TCP request to stream
[6698] 1465308811.740101: Received answer (548 bytes) from stream
[6698] 1465308811.740223: Terminating TCP connection to stream
[6698] 1465308811.740774: Response was from master KDC
[6698] 1465308811.740997: Received error from KDC: -1765328360/Preauthentication failed
[6698] 1465308811.741057: Decoding FAST response
[6698] 1465308811.741567: Preauth tryagain input types: 136, 141, 133, 137
kinit: Preauthentication failed while getting initial credentials


Op 07-06-16 om 16:13 schreef Alexander Bokovoy:
On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Hi all,
I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result.

         Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ
         (6 etypes {18 17 16
         23 25 26}) NEEDED_PREAUTH:
         otpu...@blabla.bla for krbtgt/
         blabla....@blabla.bla, Additional pre-authentication
         Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing
         down fd 12
         Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth
         (otp) verify
         failure: Connection timed out

         I just cannot figure out what's going wrong. What is trying
         to connect to
         causing this timeout? (yep, I disabled firewalld for
What is the output of  systemctl status ipa-otpd.socket

if it is disabled, do

 systemctl enable ipa-otpd.socket
 systemctl start ipa-otpd.socket

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to