Closed ingvarrwvw closed 1 month ago
adelton
commented
1 month ago That issue was about the ipa-otpd service/daemon not starting at all, and that has been resolved back in 2015.
Authentication with OTP works in general with FreeIPA and FreeIPA in containers, so you should start by describing what steps you do exactly and where your expectations start to diverge from reality.
ingvarrwvw
commented
1 month ago It is necessary to use totp tokens for selective accounts. To do this, in the GUI, in the properties of the account, I put a tick Two factor authentication (password + OTP), then I create a token for the account, add it to google auth app and I try to log in with the password + totp. This is where reality and expectations diverge), I can't log in - the password is incorrect. There is no running ipa-otpd service in the docker container
adelton
commented
1 month ago Exactly the steps you described worked on my fresh testing containerized FreeIPA setup based on quay.io/freeipa/freeipa-server:rocky-8.
In my setup I do see the service running:
$ podman exec freeipa-master systemctl status 'ipa-otpd@*.service'
● ipa-otpd@0-317-0.service - ipa-otpd service (PID 317/UID 0)
Loaded: loaded (/usr/lib/systemd/system/ipa-otpd@.service; static; vendor preset: disabled)
Active: active (running) since Wed 2024-10-23 14:30:17 UTC; 2min 35s ago
Main PID: 1032 (ipa-otpd)
Tasks: 1 (limit: 1638)
Memory: 1.2M
CGroup: /system.slice/system-ipa\x2dotpd.slice/ipa-otpd@0-317-0.service
└─1032 /usr/libexec/ipa/ipa-otpd ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket
Oct 23 14:30:17 ipa.example.test systemd[1]: Started ipa-otpd service (PID 317/UID 0).
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: LDAP: ldapi://%2Frun%2Fslapd-EXAMPLE-TEST.socket
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: request received
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: user query start
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: user query end: uid=david,cn=users,cn=accounts,dc=example,dc=test
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: bind start: uid=david,cn=users,cn=accounts,dc=example,dc=test
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: bind end: success
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: sent: 0 data: 20
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: ..sent: 20 data: 20
Oct 23 14:30:17 ipa.example.test ipa-otpd[1032]: david@EXAMPLE.TEST: response sent: Access-AcceptSo I'd recommend to start with debugging of the services health in the container.
ingvarrwvw
commented
1 month ago My setup based on quay.io/centos/centos:stream9
systemctl status ipa-otpd@.service Failed to get properties: Unit name ipa-otpd@.service is neither a valid invocation ID nor unit name.
systemctl start ipa-otpd@.service Failed to start ipa-otpd@.service: Unit name ipa-otpd@.service is missing the instance name. See system logs and 'systemctl status ipa-otpd@.service' for details.
systemctl --version systemd 252 (252-18.el9)
abbra
commented
1 month ago ipa-otpd@.service is a template. The service does not run all the time but is socket-activated on demand, whenever KDC requires to authenticate a request.
ingvarrwvw
commented
1 month ago systemctl status ipa-otpd@*.service empty in output How else can I diagnose? There is no information about otpd in the logs
ingvarrwvw
commented
1 month ago after reboot host system all worked.
Hi all! OTP tokens for 2fa do not work, I see that this issue has been raised here for a long time: https://github.com/freeipa/freeipa-container/issues/34 but it is not clear how it was resolved. What is the current status for OTP in the docker container, does it work or not?