Issue with working with OTP

[coolacid]

There seems to be major issues when implementing OTP. First problem is the systemd file :: /usr/lib/systemd/system/ipa-otpd@.service --the enviromentfile this is pointing at /etc/ipa/default.conf. This breaks when the systemd attempts to add the [global] tag.

Attempted to patch that and point to the same file without the [global] tag however all OTP still fails with no real indication as to why.

[coolacid]

-- edit --

This did not actually fix the problem.

[adelton]

There seems to be major issues when implementing OTP. First problem is the systemd file :: /usr/lib/systemd/system/ipa-otpd@.service --the enviromentfile this is pointing at /etc/ipa/default.conf. This breaks when the systemd attempts to add the [global] tag.

In the FreeIPA container, no systemd is running. Could you please be more specific about the functional issue?

[coolacid]

This is related to using the One Time Password function. Removing the [global] tag (or pointing the @.service file directly to the ldap server) causes the otp service to start - so something is allowing it to run.

Because we couldn't get IPA with OTP working within Docker, we had to scrap and go bare metal, so can't look into it any further.

[dmcnaught]

I'm seeing the same issue (with centos-7) trying to use OTP-TOTP. Set up all goes fine in the GUI, but then when I try to login after successfully syncing OTP token, I see this in the logs:
==> /var/log/krb5kdc.log <==
Jul 22 21:47:01 ip-172-31-28-101.ec2.internal krb5kdc2035: AS_REQ (6 etypes {18 17 16 23 25 26}) 172.17.0.16: NEEDED_PREAUTH: tuser@EC2.INTERNAL for krbtgt/EC2.INTERNAL@EC2.INTERNAL, Additional pre-authentication required
Jul 22 21:47:01 ip-172-31-28-101.ec2.internal krb5kdc2035: closing down fd 12
==> /var/log/systemctl.log <==
[start ipa-otpd@.service]
Running [export host=ip-172-31-28-101.ec2.internal; export basedn=dc=ec2,dc=internal; export realm=EC2.INTERNAL; export domain=ec2.internal; export xmlrpc_uri=https://ip-172-31-28-101.ec2.internal/ipa/xml; export ldap_uri=ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket; export enable_ra=True; export ra_plugin=dogtag; export dogtag_version=10; export mode=production; /usr/libexec/ipa-otpd $ldap_uri]
Marked pid [2913] for [ipa-otpd@.service]
LDAP: ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket
Socket closed, shutting down...
[start ipa-otpd@.service]
Running [export host=ip-172-31-28-101.ec2.internal; export basedn=dc=ec2,dc=internal; export realm=EC2.INTERNAL; export domain=ec2.internal; export xmlrpc_uri=https://ip-172-31-28-101.ec2.internal/ipa/xml; export ldap_uri=ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket; export enable_ra=True; export ra_plugin=dogtag; export dogtag_version=10; export mode=production; /usr/libexec/ipa-otpd $ldap_uri]
Marked pid [2916] for [ipa-otpd@.service]
LDAP: ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket
Socket closed, shutting down...
[start ipa-otpd@.service]
Running [export host=ip-172-31-28-101.ec2.internal; export basedn=dc=ec2,dc=internal; export realm=EC2.INTERNAL; export domain=ec2.internal; export xmlrpc_uri=https://ip-172-31-28-101.ec2.internal/ipa/xml; export ldap_uri=ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket; export enable_ra=True; export ra_plugin=dogtag; export dogtag_version=10; export mode=production; /usr/libexec/ipa-otpd $ldap_uri]
Marked pid [2919] for [ipa-otpd@.service]
LDAP: ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket
Socket closed, shutting down...
[start ipa-otpd@.service]
Running [export host=ip-172-31-28-101.ec2.internal; export basedn=dc=ec2,dc=internal; export realm=EC2.INTERNAL; export domain=ec2.internal; export xmlrpc_uri=https://ip-172-31-28-101.ec2.internal/ipa/xml; export ldap_uri=ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket; export enable_ra=True; export ra_plugin=dogtag; export dogtag_version=10; export mode=production; /usr/libexec/ipa-otpd $ldap_uri]
Marked pid [2922] for [ipa-otpd@.service]
LDAP: ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket
Socket closed, shutting down...

==> /var/log/krb5kdc.log <==
Jul 22 21:47:07 ip-172-31-28-101.ec2.internal krb5kdc2036: preauth (otp) verify failure: Connection timed out
Jul 22 21:47:07 ip-172-31-28-101.ec2.internal krb5kdc2036: AS_REQ (6 etypes {18 17 16 23 25 26}) 172.17.0.16: PREAUTH_FAILED: tuser@EC2.INTERNAL for krbtgt/EC2.INTERNAL@EC2.INTERNAL, Preauthentication failed
Jul 22 21:47:07 ip-172-31-28-101.ec2.internal krb5kdc2036: closing down fd 12

[dmcnaught]

I also commented out the first line in /data/etc/ipa/default.conf
otherwise this was the log output:
[start ipa-otpd@.service]
Running [export [global]; export host=ip-172-31-28-101.ec2.internal; export basedn=dc=ec2,dc=internal; export realm=EC2.INTERNAL; export domain=ec2.internal; export xmlrpc_uri=https://ip-172-31-28-101.ec2.internal/ipa/xml; export ldap_uri=ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket; export enable_ra=True; export ra_plugin=dogtag; export dogtag_version=10; export mode=production; /usr/libexec/ipa-otpd $ldap_uri]
Marked pid [2826] for [ipa-otpd@.service]
sh: line 0: export: `[global]': not a valid identifier
LDAP: ldapi://%2fvar%2frun%2fslapd-EC2-INTERNAL.socket
Socket closed, shutting down...

[dmcnaught]

Some more info: When I use google authenticator I get this error message when adding the token. (centos-7 and fedora-22). Authy allows me to add the token.

[dmcnaught]

Also tried adding the token with FreeOTP - can't login to the admin tools or onto an ipa client with password+token after setup.

[npmccallum]

@dmcnaught The "invalid barcode" issue is related to this bug: https://www.redhat.com/archives/freeipa-devel/2015-June/msg00505.html

[dmcnaught]

Notes from mailing list:
@adelton : Can we run systemd in the centos-7 container so that ipa-otp will work?

On Mon, 2015-09-21 at 16:49 -0600, Duncan McNaught wrote:

Dear freeipa-users,

I'm having an issue with otp in freeipa. I can set up the service as
described in the blog post for TOTP or HOTP, and sync the token fine.
When I try to login to the admin tools or an ipa-managed client
(with ) , I get a password incorrect message.
Here are some more details: https://github.com/adelton/docker-freeipa
/issues/34
Can anyone help me to debug/get this working?

I'm very unclear as to what you are trying to do. Are you trying to
run FreeIPA in a container? If so, Jan is probably your man. AFAIK,
ipa-otpd will require systemd in the container.

If you are trying to run this on CentOS 7.1 (not a container), it
seems to me that your LDAP server isn't running or something is wrong
with ldapi.

Can you explain your setup in more detail?

[adelton]

Notes from mailing list:
@adelton : Can we run systemd in the centos-7 container so that ipa-otp will work?

Not yet, it should be possible with Docker 1.9.

[adelton]

Fix for the issue was now pushed to the master branch and also to the rhel-7 and centos-7 branches. The automated builds on the hub are running and updated images should be available shortly.

Sorry it took me so long to resolve the problem.

[dmcnaught]

Great - thanks @adelton