Bug 1573674 - IPA OTP Broken [NEEDINFO]
Summary: IPA OTP Broken
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-01 22:22 UTC by James Chang
Modified: 2018-06-18 15:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-18 15:12:53 UTC
Target Upstream Version:
pvoborni: needinfo? (refrain5)


Attachments (Terms of Use)

Description James Chang 2018-05-01 22:22:08 UTC
Description of problem: IPA OTP token sync doesn't work


Version-Release number of selected component (if applicable): 4.5.0


How reproducible: add OTP token, try to sync


Steps to Reproduce:
1. either use 'ipa otptoken-add' or do it in the ipa gui
2. scan the QR code with authenticator app (google authenticator)
3. either use 'ipa otptoken-sync' or try to sync during login screen of ipa gui

Actual results: 'Invalid Credentials!'


Expected results: Token Synced


Additional info: Usually token sync will fail.  Sometimes, the token will sync (not sure why?) but you still cannot login with token.  IPA will ask you for first factor, then second factor, then ask you for the first factor again.

Additionally, using 'ipa otptoken-add' results in a QR code that you cannot scan with google authenticator nor FreeOTP.

Comment 2 Petr Vobornik 2018-05-18 16:01:47 UTC
works for me. Could you share specific reproduction steps. E.g. as below:

$ rpm -q ipa-server
ipa-server-4.5.4-10.el7.x86_64


[pvoborni@vm-171-226 ~]$ ipa user-add --first=foo --last=bar --password
User login [fbar]: 
Password: 
Enter Password again to verify: 
-----------------
Added user "fbar"
-----------------
  User login: fbar
  First name: foo
  Last name: bar
  Full name: foo bar
  Display name: foo bar
  Initials: fb
  Home directory: /home/fbar
  GECOS: foo bar
  Login shell: /bin/sh
  Principal name: fbar@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Principal alias: fbar@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: fbar@dom-171-226.abc.idm.lab.eng.brq.redhat.com
  UID: 1645800001
  GID: 1645800001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


[pvoborni@vm-171-226 ~]$ kinit fbar
Password for fbar@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 


[pvoborni@vm-171-226 ~]$ ipa otptoken-add
------------------
Added OTP token ""
------------------
  Unique ID: 415f6ccb-e96f-4711-96e2-dec6a15d4345
  Type: TOTP
  Owner: fbar
  Manager: fbar
  Algorithm: sha1
  Digits: 6
  Clock interval: 30
  URI: otpauth://totp/fbar@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM:415f6ccb-e96f-4711-96e2-dec6a15d4345?digits=6&secret=HR3JPDDSLB7AS34MSGSBCOLZ5FYFWWEB&period=30&algorithm=SHA1&issuer=fbar%40DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM


█████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████
████ ▄▄▄▄▄ █ ▀█ ▄ ██▀ ▄ ▀▄▄█▀█  ▀▄█▀█▄█▀█ ▄  █ ▀ ▄▄ ██ ▄▄▄▄▄ ████
████ █   █ █▀▀▄▄▀█ ▀▄▀▀  ▄█▀ █▄█▄▀▄▀▄▀ █▀▄██  █▄▄ ▄ ██ █   █ ████
████ █▄▄▄█ ███ ▄▀▀██ ▄▄▀█▄  ▄▄ ▄▄▄ ██▄▄▄█▀ ▀█ ▀▀▄█▀▄██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ █▄█▄█▄█ █▄▀ ▀▄█ ▀ █▄█ ▀ ▀▄█ ▀ ▀▄█ ▀▄▀ █ █▄▄▄▄▄▄▄████
████▄▀ ▄█ ▄ ▀███   ▄   ▄ █▄  ▄▄ ▄  ▄█ ▀█▀██  ▀▄█▄ █▀▀▀▄▀█ █  ████
████▄█▀▄▄▀▄▀ ▄ ▄ █  ▄█ ▄▀▄▄▀█▀▄▀█ █▀     ▄█▄█▄█▄▄█ ▄  ▄██▀█▄▄████
████▀ ▄ ▄▀▄▀▄██▀▀ ▄▄ ▄██▄█▄█ ▀▀█▄█ ▀█▄██ █ ▀█ ▀▄▄▄█▄▀ ▀ ▀  █▄████
████ █▀███▄▀  ▄██ ▄▀█▄▄▀▄██▀▄██▀▄█▀███▄ ▀█▄ █ █▄██▄▄ ▀▄███▀██████
████▄ ▀▀▀█▄▄  ▄▀▀█▄█▄ ▄▄▀▄ ▀▄▀▄█▀ ▄█▀▀▀█▄█▀▄█▀▄▄ ▀   ▄▄  █▄▄ ████
████▀ ▀██▄▄ ▀███ ▄█▀▄▄█▀ ▄▀ █▄▄█▀ ▀▀▀▀▄▄▄▄█ ▀██▄█ ▀ ▀ ▄ ▀▀█ ▀████
████▀ ▀▀▄▀▄ ▀▄▀█▄  ▄ ▄▀██▀▀  █ ▀  ▄▄█▀▄ ▄█  ▄▀ ▀▀█ █ ▀ ▄▄ ▄█▀████
█████▀ ▀██▄█ ▄▀ █▄  ██▀▄▀▄█▄▄▄██  ▄▄▀██ █▀██ ▄▄█▀█ ▄ ████▀▄█▀████
████   ▄ ▄▄▄  ▀▀ ▄ █▄ ▀▀█▄▄█  █▀█▀ ▀█ ▀█▄▀▀██▄▀▄▀ █▀▀ ▀█▀ ▀▄▀████
████▀███ ▄▄▄   ▄█▀█▀█  █▀ ▀██▀ ▄▄▄ ▄▄   ▄█▀█ ▄████▀  ▄▄▄ ▄▀██████
████▀▀██ █▄█  ▀ ▄█ ▀ ▀ ▄██ █▄▀ █▄█   ▀▀▄█ ▄▀█ █ ▀    █▄█ █  ▀████
█████▀▄▄▄▄▄▄ ▀▄  ▄█▄█▄▀▄  ▄▀▀▀▄▄  ▄█ ▄▀▀   █▀ ▀ ▀█▄█▄▄ ▄▄ ▄█ ████
████▀▀▄▀▀ ▄▄▀▀▄ ▀▄▄██▄▄  █▄█▀▄▄█▀▄▄▀██▀▄▄█▄▀ ▄▄█▄ ██▀▄██ ▀█ █████
████▀▀▄██ ▄█▀▄ ██ ▄ ▀ █▀▄ █ ▀▄▄ ███ █▀▀█ ▀▀▀█ █▄▄▀ ▄▄▀  █▄█▀▄████
████▄▄ ▀█▄▄ █▀█  █▄▄▄ █▄▀▄█▄██▄ ▄▀▀█▀▀▀ ▀▀█▀████▄▄ ▀█████▄▀██████
████▄▀▀  ▀▄██▀ █▄█  ▄█▀▀▄ █▄█ ▀ █▄▄ ██ ▄ ▄██▄█ ██ ▄▀ ▄▀ ▄ ▀▀█████
█████ ▀█▄▄▄▄▄█ ▄ ▄▀▄▄█▄▄▀ █▀   ▄ █ ▀█▀▀▀▀██▄▄▀▄▀▄▀█▄▄ ▄ █ ▄ ▄████
████▀█▄▀█▀▄█▄▄█ ▀▄▄ ▀█▀ █▄  █▀  ▀██▀▀▄▄   ██ ▀█▀█ ▀██▄█▄▄█▄ █████
████▄ ▄▄  ▄▄▄▀█ ▀▄█▄██ ▄▄ ▀ ▀▄▀▀▄█▄█ █ ██▄▀    ▀▀█▄█▀▀▄██▄ ▄█████
████ ▀ ▀▀▄▄▀  ▀▄▀██ ▀ ▀█▄▄██▀█  ▄▄▄▄▀▄▀█▀▄▄▄█▄  ▀▀▀█ ▄██▀▀▄ ▄████
██████████▄█  ▄ █ ▀██▀▄█ ▀ ▀██ ▄▄▄ ▄██▀ ▄▀ █▀██▄▄ █▀ ▄▄▄ ▄▄█▄████
████ ▄▄▄▄▄ █ ▄   ▀  █▀ █▄▄ ▄ █ █▄█ ▄▄ ██▄ ▄▀ ▀ █ ███ █▄█ █▀ █████
████ █   █ █▀▄█▄▄▄▀    ▄ ▀▀▄▄▄▄     ▄ ▀▀ ██ █▄▄ ▀█▀▄▄ ▄▄▄▄█ █████
████ █▄▄▄█ █▄█▀▄▀ ▄▄█▀▄██ ▀▀▀▄█ ▄█ █▀▀▄▄█ █▄▀▀▄▀▄ █▀▄█▀█▀█▄█▀████
████▄▄▄▄▄▄▄█▄▄██▄█▄▄▄▄██▄▄██▄██▄███▄█▄▄▄▄▄▄▄▄█▄█████▄▄█▄▄████████
█████████████████████████████████████████████████████████████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀


[pvoborni@vm-171-226 ~]$ kinit admin
Password for admin@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM: 

[pvoborni@vm-171-226 ~]$ ipa user-mod fbar --user-auth-type=otp
--------------------
Modified user "fbar"
--------------------
  User login: fbar
  First name: foo
  Last name: bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  Principal name: fbar@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Principal alias: fbar@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Email address: fbar@dom-171-226.abc.idm.lab.eng.brq.redhat.com
  UID: 1645800001
  GID: 1645800001
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[pvoborni@vm-171-226 ~]$ kdestroy -A
[pvoborni@vm-171-226 ~]$ kinit -n
[pvoborni@vm-171-226 ~]$ klist
Ticket cache: KEYRING:persistent:17127:krb_ccache_nISgXgj
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
05/18/2018 17:55:29  05/19/2018 17:55:29  krbtgt/DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM@DOM-171-226.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM


[pvoborni@vm-171-226 ~]$ kinit  -T KEYRING:persistent:17127:krb_ccache_nISgXgj fbar
Enter OTP Token Value: 

[pvoborni@vm-171-226 ~]$ ipa otptoken-sync
User ID: fbar
Password: 
First Code: 
Second Code: 
Token synchronized.

Comment 3 Florence Blanc-Renaud 2018-06-18 15:12:53 UTC
As this bug has been in NEEDINFO for an extended period of time we are going to close this bug due to inactivity. If you would like to pursue this matter feel free to reopen this bug and attach the needed information.


Note You need to log in before you can comment on or make changes to this bug.