On Mon, Oct 26, 2015 at 10:24:06AM -0700, Janelle wrote: > Hello all... > > Seeing something very strange. With OTP enabled for all users - here is the > configuration: > > Some hosts fully "enrolled" with IPA, and some are simply configured with > authconfig to use LDAP backend for authentication. > > RANDOMLY <---- Keyword here -- all systems use SSSD regardless of the > authentication method. A user will be able to login with password+token, but > the random part - sometimes JUST the password. Is this possible due to some > odd caching issues with SSSD perhaps or ??? How might I research this? is > there anything to look for in configs or logs?
I would assume that when just the password suffices, the client would be offline (because when offline, we can only compare the first factor). You can verify this with running klist -- that would show you if the TGT was acquired when you logged in or by increasing pam_verbosity to tell you when the login happened offline. btw for testing, you can send SIGUSR1 and SIGUSR2 to trigger online/offline transitions (see man sssd(8)) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project