If this is TOTP (time based) you want to double check the time is properly set in both the server (NTP) and the device that is generating the OTP tokens. I have had issues with this with my users couple of times.
On 7 June 2016 at 19:43, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Tue, 07 Jun 2016, Winfried de Heiden wrote: > >> Hi all, >> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. >> > Ok. > > Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ >> (6 etypes {18 17 16 >> 23 25 26}) 192.168.1.251: NEEDED_PREAUTH: >> otpu...@blabla.bla for krbtgt/ >> blabla....@blabla.bla, Additional pre-authentication >> required >> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing >> down fd 12 >> Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth >> (otp) verify >> failure: Connection timed out >> >> I just cannot figure out what's going wrong. What is trying >> to connect to >> causing this timeout? (yep, I disabled firewalld for >> this...) >> > What is the output of systemctl status ipa-otpd.socket > ? > > if it is disabled, do > > systemctl enable ipa-otpd.socket > systemctl start ipa-otpd.socket > > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project