Max time is 1 day so if you need me to re-paste it let me know. Thanks
again!
On Mon, Dec 16, 2019 at 6:55 AM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On Wed, Dec 04, 2019 at 12:44:59PM -0500, Michael Deffenbaugh via
FreeIPA-users wrote:
> Hey Sumit, thank you for the reply.
>
> I'm pretty sure I had set it on a per user basis, but it might have been
> globally. I removed the OTP setting using the WebUI in both the default
> user config (Global settings), and I forced my user (one of the accounts
> experiencing the issue) to password only. This is reflected correctly at
> the command line too.
>
> ipa config-show
> ...
> Default user authentication types: password
>
> and ipa user-show <my username>
> ...
> User authentication types: password
>
> Is there something I'm missing? Thanks!
Hi,
can you send the output of
ipa user-show --all --raw <my username>
I'm especially interested in the 'krbExtraData' attributes, feel free
to drop or sanitize the other attributes.
bye,
Sumit
>
> Regards,
> Mike
>
>
> On Wed, Dec 4, 2019 at 12:35 PM Sumit Bose <sbose(a)redhat.com> wrote:
>
> > On Wed, Dec 04, 2019 at 02:15:59PM -0000, Michael Deffenbaugh via
> > FreeIPA-users wrote:
> > > I'm having an issue where users who were previously enrolled in OTP
(and
> > had it enforced) which then were removed from OTP and have no tokens
are
> > still prompted for "First Factor/Second Factor". Up until recently
this
> > has been an inconvenience as a user could just leave the field blank
and it
> > would authenticate; they would only have to wait for IPA to process the
> > non-existent OTP token.
> > >
> > > Recently I've ran across an application which doesnt support OTP
> > prompting at all, and the fact that users are getting prompted for
> > First/Second factor breaks the application. While I do have a github
issue
> > in with the project to properly support OTP, there should be some way
to
> > disable the MFA prompt that users are getting (via PAM/SSSD?) given
we're
> > no longer using it. Any thoughts as to where I should look? There's a
> > fair amount of documentation on how to enable it, less so on disabling
it.
> > Thanks in advance!
> >
> > Hi,
> >
> > how did you enable OTP? Globally with
> >
> > ipa config-mod --user-auth-type=...
> >
> > or individually for each user with
> >
> > ipa user-mod --user-auth-type=...
> >
> > Depending on this you should remove 'otp' either from the global
> > configuration or for each user.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Regards,
> > > Mike
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> > freeipa-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
> >
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> >
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...