Not off the top of my head but with the power of google I'm sure I can figure it out.  If you have an example readily available I won't fight you for it =)

I guess my bigger question is how did you figure out that *that* attribute is what was messing me up?  I assumed that it was something kerberos related as my reading (ironically something you wrote: https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html) led me to understand that the Kerberos server was telling the client pam stack on what prompts to provide.  But I couldn't for the life of me figure out where the kerberos server was getting that info.

Is there a method that a mere-mortal such as myself could use in the future to figure that out? If not, I'm happy to accept "it's PFM" on this one.  Thanks again!

On Mon, Dec 16, 2019 at 11:59 AM Sumit Bose <sbose@redhat.com> wrote:
On Mon, Dec 16, 2019 at 08:29:16AM -0500, Michael Deffenbaugh wrote:
> Hey Sumit, I pasted it here: https://paste.centos.org/view/6ea2a800

Thanks,

please remove the

    krbExtraData: AAtvdHAAW3siaW5kaWNhdG9ycyI6IFsib3RwIl19XQA=

Iirc 'ipa user-mod' cannot handle binary data, so you need a LDAP editor
or use ldapmodify directly. Do you know how to do it?

bye,
Sumit

>
> Max time is 1 day so if you need me to re-paste it let me know.  Thanks
> again!
>
> On Mon, Dec 16, 2019 at 6:55 AM Sumit Bose via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> > On Wed, Dec 04, 2019 at 12:44:59PM -0500, Michael Deffenbaugh via
> > FreeIPA-users wrote:
> > > Hey Sumit, thank you for the reply.
> > >
> > > I'm pretty sure I had set it on a per user basis, but it might have been
> > > globally.  I removed the OTP setting using the WebUI in both the default
> > > user config (Global settings), and I forced my user (one of the accounts
> > > experiencing the issue) to password only.  This is reflected correctly at
> > > the command line too.
> > >
> > > ipa config-show
> > > ...
> > >   Default user authentication types: password
> > >
> > > and ipa user-show <my username>
> > > ...
> > >   User authentication types: password
> > >
> > > Is there something I'm missing?  Thanks!
> >
> > Hi,
> >
> > can you send the output of
> >
> >     ipa user-show --all --raw <my username>
> >
> > I'm especially interested in the 'krbExtraData' attributes, feel free
> > to drop or sanitize the other attributes.
> >
> > bye,
> > Sumit
> >
> > >
> > > Regards,
> > > Mike
> > >
> > >
> > > On Wed, Dec 4, 2019 at 12:35 PM Sumit Bose <sbose@redhat.com> wrote:
> > >
> > > > On Wed, Dec 04, 2019 at 02:15:59PM -0000, Michael Deffenbaugh via
> > > > FreeIPA-users wrote:
> > > > > I'm having an issue where users who were previously enrolled in OTP
> > (and
> > > > had it enforced) which then were removed from OTP and have no tokens
> > are
> > > > still prompted for "First Factor/Second Factor".  Up until recently
> > this
> > > > has been an inconvenience as a user could just leave the field blank
> > and it
> > > > would authenticate; they would only have to wait for IPA to process the
> > > > non-existent OTP token.
> > > > >
> > > > > Recently I've ran across an application which doesnt support OTP
> > > > prompting at all, and the fact that users are getting prompted for
> > > > First/Second factor breaks the application.  While I do have a github
> > issue
> > > > in with the project to properly support OTP, there should be some way
> > to
> > > > disable the MFA prompt that users are getting (via PAM/SSSD?) given
> > we're
> > > > no longer using it.  Any thoughts as to where I should look?  There's a
> > > > fair amount of documentation on how to enable it, less so on disabling
> > it.
> > > > Thanks in advance!
> > > >
> > > > Hi,
> > > >
> > > > how did you enable OTP? Globally with
> > > >
> > > >     ipa config-mod --user-auth-type=...
> > > >
> > > > or individually for each user with
> > > >
> > > >     ipa user-mod --user-auth-type=...
> > > >
> > > > Depending on this you should remove 'otp' either from the global
> > > > configuration or for each user.
> > > >
> > > > HTH
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > >
> > > > > Regards,
> > > > > Mike
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > > freeipa-users-leave@lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
> > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > > >
> > > >
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to
> > freeipa-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >