Hi all, Well, the libverto is there some time allready (yep, it's running on a Bananapi!), doesn't feel like a recent update, so a Name : libverto No, no previous build available... [root@ipa boot]# dnf downgrade libverto My first guess is that you are hitting this bug: https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b799090899904e What to do about it...? Winny Op 07-06-16 om 19:15 schreef Nathaniel
McCallum:
On Tue, 2016-06-07 at 19:42 +0300, Alexander Bokovoy wrote:Adding Nathaniel to look into it.On Tue, 07 Jun 2016, Winfried de Heiden wrote:Adn some more dubgging for you guys...: un 7 17:00:52 ipa systemd: Started ipa-otpd service (PID 5887/UID 0). Jun 7 17:00:52 ipa audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@ 51-5887- 0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 7 17:00:52 ipa systemd: Starting ipa-otpd service (PID 5887/UID 0)... Jun 7 17:00:52 ipa ipa-otpd: LDAP: ldapi://%2fvar%2frun%2fslapd- BLABLA- BLA.socket Jun 7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: request received Jun 7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: user query start Jun 7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: user query end: uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla Jun 7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: bind start: uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla Jun 7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: bind end: success Jun 7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: response sent: Access-Accept Jun 7 17:00:52 ipa ipa-otpd: stdio.c:073: Connection reset by peer: Error receiving packet Jun 7 17:00:52 ipa systemd: ipa-otpd@51-5887-0.service: Main process exited, code=exited, status=1/FAILURE Jun 7 17:00:52 ipa systemd: ipa-otpd@51-5887-0.service: Unit entered failed state. Forgot to mention, I'm running FreeIPA on Fedora ARM on a Bananapi :) All other, non-OTP, login are OK. WinnyThat error is misleading. All that is happening is that ipa-otpd is closing down after krb5kdc closes the socket.Op 07-06-16 om 16:13 schreef Alexander Bokovoy: On Tue, 07 Jun 2016, Winfried de Heiden wrote: Hi all, I tried the FreeIPA webUI, ssh and "su - otpuser", all the same result. Ok. Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887] (info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.251: NEEDED_PREAUTH: otpu...@blabla.bla for krbtgt/ blabla....@blabla.bla, Additional pre- authentication required Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887] (info): closing down fd 12 Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888] (info): preauth (otp) verify failure: Connection timed out I just cannot figure out what's going wrong. What is trying to connect to causing this timeout? (yep, I disabled firewalld for this...) What is the output of systemctl status ipa-otpd.socket ? if it is disabled, do systemctl enable ipa-otpd.socket systemctl start ipa-otpd.socketMy first guess is that you are hitting this bug: https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089 9904e My second guess is that you should try a different libverto backend and see if the problem goes away. If so, please let me know which backend had problems. |
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project