Hi, Has someone managed to setup OTP 2FA between FreeIPA 4.5.X and Mac OS (High Sierra)? When authenticating with a non 2FA user, works fine. THE FIRST WAY: native heimdal client: aae$ kinit --version kinit (Heimdal 1.5.1apple1) Copyright 1995-2011 Kungliga Tekniska Högskolan Send bug-reports to heimdal-bugs(a)h5l.org aae$ aae$ kdestroy aae$ kinit --anonymous aae$ klist Credentials cache: KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 Principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Issued Expires Principal Jun 20 12:41:07 2018 Jun 21 12:41:06 2018 krbtgt/IDM.CRP(a)IDM.CRP aae$ kinit --fast-armor-cache=KCM:74E6A71B-BCB9-43E1-8832-AFC7B17831E7 aae(a)IDM.CRP kinit: krb5_init_creds_set_fast_ccache: Matching credential (krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS) not found aae$ Found [1] that FAST is supported but is it enough for OTP I have no idea. Tried tcp protocol [2] without success. I can't find information how to activate anon FAST on Mac OS if this protocol is supported. What about OTP? I'm not sure that old heimdal kerberos client is compatible with pkinit/fast. I know so many questions to apple developers and support --------------------------------------------- THE SECOND WAY: client MIT version krb5-1.16.1 port install kerberos5 ... ---> Installing kerberos5 @1.16.1_0 ... slightly changed /etc/krb5.conf aae$ kdestroy kdestroy: No credentials cache found while destroying cache aae$ kinit -n aae$ klist -A Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP(a)IDM.CRP aae$ kinit -T KCM:501 aae(a)IDM.CRP Enter OTP Token Value: aae$ aae$ klist -A Ticket cache: KCM:501:2 Default principal: aae(a)IDM.CRP Valid starting Expires Service principal 06/20/2018 12:47:13 06/21/2018 12:46:59 krbtgt/IDM.CRP(a)IDM.CRP Ticket cache: KCM:501 Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS Valid starting Expires Service principal 06/20/2018 12:46:22 06/21/2018 12:46:22 krbtgt/IDM.CRP(a)IDM.CRP aae$ much much better, but it's not enough because I can't use TGT. As you can see I tried to use KCM cache believing that I use native heimdal KCM server on my Mac, but without success: I do not see any valid tickets here /System/Library/CoreServices/<Ticket Viewer> and of course don't have kerberos related access to corporate resources. ---------------------------------------------- Any help is appreciated. Possible directions/ideas how to implement 2FA on Mac OS without hacks? I have successfully setup linux using pam-krb5 and anon_fast option. References: [1] https://www.redhat.com/archives/freeipa-users/2016-December/msg00214.html [2] https://www.redhat.com/archives/freeipa-users/2016-December/msg00219.html -- Oleksandr Yermolenko systems engineer