Tommy Nikjoo <> writes:

> I'm having some issues with 2FA PAM config's on Ubuntu clients. 
> Currently, I'm guessing that the PAM module doesn't know how to talk to
> the 2FA protocol.  Is anyone able to give an in site into how to get
> this working correctly?

You may need to fix /etc/pam.d/common-auth, so that only pam_sss get's
called for IPA users:

# here are the per-package modules (the "Primary" block)
auth    [default=1 success=ok] 
auth    [success=3 default=ignore] nullok_secure try_first_pass
auth    requisite uid >= 1000 quiet_success
auth    [success=1 default=ignore] forward_pass
# here's the fallback if no module succeeds
auth    requisite             

I'm running a 14.04 client with an older IPA client - there I have to
enter password+OTP in one string and it works perfect.

On my 16.10 Laptop I use IPA 4.3.2 against CentOS 7.3 server. That
client had problems with OTP users which were not obvious to me.
The system asked for first and second factor but would give me system
error 7. I think the following entry in /etc/krb5.conf helped:

  default_ccache_name = KEYRING:persistent:%{uid}


Otherwise please enable the debug trace and review the logs. They are
really verbose and you need to check both client and server for errors.
There is hope - I run Ubuntu clients with OTP user (OTP is via
privacyidea/radius, but that shouldn't matter).


The only problem with troubleshooting is that the trouble shoots back.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to