If this is TOTP (time based) you want to double check the time is properly
set in both the server (NTP) and the device that is generating the OTP
tokens. I have had issues with this with my users couple of times.
On 7 June 2016 at 19:43, Alexander Bokovoy <aboko...@redhat.com> wrote:
> On Tue, 07 Jun 2016, Winfried de Heiden wrote:
>
>> Hi all,
>> I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result.
>>
> Ok.
>
> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): AS_REQ
>> (6 etypes {18 17 16
>> 23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
>> otpu...@blabla.bla for krbtgt/
>> blabla....@blabla.bla, Additional pre-authentication
>> required
>> Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887](info): closing
>> down fd 12
>> Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888](info): preauth
>> (otp) verify
>> failure: Connection timed out
>>
>> I just cannot figure out what's going wrong. What is trying
>> to connect to
>> causing this timeout? (yep, I disabled firewalld for
>> this...)
>>
> What is the output of systemctl status ipa-otpd.socket
> ?
>
> if it is disabled, do
>
> systemctl enable ipa-otpd.socket
> systemctl start ipa-otpd.socket
>
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
