The libverto used on RHEL 7.2 (itś working there) is v0.2.5-4 build date January 26 2014, so that's an older one.

Is this more recent one causing the problems....? How to test?

Winny




Op 08-06-16 om 08:34 schreef Winfried de Heiden:
Hi all,


Well, the libverto is there some time allready (yep, it's running on a Bananapi!), doesn't feel like a recent update, so a


Name        : libverto
Version     : 0.2.6
Release     : 5.fc23
Architecture: armv7hl
Install Date: Thu Jan  1 01:08:24 1970
Group       : Unspecified
Size        : 21896
License     : MIT
Signature   : RSA/SHA256, Sun Jun 21 06:24:46 2015, Key ID 32474cf834ec9cba
Source RPM  : libverto-0.2.6-5.fc23.src.rpm
Build Date  : Wed Jun 17 20:37:05 2015
Build Host  : arm04-builder19.arm.fedoraproject.org

No, no previous build available...

[root@ipa boot]# dnf downgrade libverto
Last metadata expiration check: 0:10:21 ago on Wed Jun  8 08:19:53 2016.
Package libverto of lowest version already installed, cannot downgrade it.
Error: Nothing to do.


My first guess is that you are hitting this bug: https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b799090899904e

What to do about it...?


Winny

Op 07-06-16 om 19:15 schreef Nathaniel McCallum:
On Tue, 2016-06-07 at 19:42 +0300, Alexander Bokovoy wrote:
Adding Nathaniel to look into it.

On Tue, 07 Jun 2016, Winfried de Heiden wrote:
Adn some more dubgging for you guys...:

un  7 17:00:52 ipa systemd: Started ipa-otpd service (PID 5887/UID
0).
Jun  7 17:00:52 ipa audit: SERVICE_START pid=1 uid=0
auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipa-otpd@
51-5887-
0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=?
res=success'
Jun  7 17:00:52 ipa systemd: Starting ipa-otpd service (PID
5887/UID 0)...
Jun  7 17:00:52 ipa ipa-otpd: LDAP: ldapi://%2fvar%2frun%2fslapd-
BLABLA-
BLA.socket
Jun  7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: request received
Jun  7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: user query start
Jun  7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: user query end:
uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla
Jun  7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: bind start:
uid=otpuser,cn=users,cn=accounts,dc=blabla,dc=bla
Jun  7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: bind end: success
Jun  7 17:00:52 ipa ipa-otpd: otpu...@blabla.bla: response sent:
Access-Accept
Jun  7 17:00:52 ipa ipa-otpd: stdio.c:073: Connection reset by
peer: Error
receiving packet
Jun  7 17:00:52 ipa systemd: ipa-otpd@51-5887-0.service: Main
process exited,
code=exited, status=1/FAILURE
Jun  7 17:00:52 ipa systemd: ipa-otpd@51-5887-0.service: Unit
entered failed
state.
Forgot to mention, I'm running FreeIPA on Fedora ARM on a Bananapi
:) All
other, non-OTP, login are OK.
Winny
That error is misleading. All that is happening is that ipa-otpd is
closing down after krb5kdc closes the socket.

Op 07-06-16 om 16:13 schreef Alexander Bokovoy:
    On Tue, 07 Jun 2016, Winfried de Heiden wrote:
         Hi all,
         I tried the FreeIPA webUI, ssh and "su - otpuser", all the
         same result.
    Ok.

                  Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887]
         (info): AS_REQ
                  (6 etypes {18 17 16
                  23 25 26}) 192.168.1.251: NEEDED_PREAUTH:
                  otpu...@blabla.bla for krbtgt/
                  blabla....@blabla.bla, Additional pre-
         authentication
                  required
                  Jun 07 14:44:37 ipa.blabla.bla krb5kdc[5887]
         (info): closing
                  down fd 12
                  Jun 07 14:44:42 ipa.blabla.bla krb5kdc[5888]
         (info): preauth
                  (otp) verify
                  failure: Connection timed out

                  I just cannot figure out what's going wrong. What
         is trying
                  to connect to
                  causing this timeout? (yep, I disabled firewalld
         for
                  this...)
    What is the output of  systemctl status ipa-otpd.socket
    ?

    if it is disabled, do

     systemctl enable ipa-otpd.socket
     systemctl start ipa-otpd.socket
My first guess is that you are hitting this bug:
https://github.com/krb5/krb5/commit/051a31aac553defb2ef0ed4354b79909089
9904e

My second guess is that you should try a different libverto backend and
see if the problem goes away. If so, please let me know which backend
had problems.






-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to