Hi All,

I have recently applied the CentOS 7.4 updates which includes installation of FreeIPA 4.5. Prior to the update we were running CentOS 7.3 (the original OS for this system) and FreeIPA 4.4 and the platform has been regularly updated without issue. We operate a master and replica pair at a single location.

Since upgrading to FreeIPA 4.5 user authentication is behaving inconsistently with relation to OTP - we use password+OTP for all user authentication.

Our platform is available behind a VPN provided by a Cisco ASA where the authentication is handled by FreeIPA using an interim LDAP bind on a dedicated system account (i.e. https://www.freeipa.org/page/HowTo/LDAP). Since the update *this connection does not accept OTP* tokens but does work with password only - in contrast with our security policy.

Once connected the user can then SSH into the system - for this connection the normal authentication (password+otp) works - password only does not work here. With an SSH session to the IPA master I can run ldapsearch and authenticate with password+otp only. The web UI also requires password+otp.

To clarify the system should not accept any user logins using password only and the acceptance of this on our VPN connection quite concerning. Is anyone able to offer advice on how to dig deeper and resolve the issue?

Some system details:

--- $ sudo ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful

$ sudo rpm -qa| grep ipa ipa-common-4.5.0-21.el7.centos.1.2.noarch ipa-server-dns-4.5.0-21.el7.centos.1.2.noarch ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch ipa-client-common-4.5.0-21.el7.centos.1.2.noarch ipa-client-4.5.0-21.el7.centos.1.2.x86_64 ipa-server-4.5.0-21.el7.centos.1.2.x86_64 python-libipa_hbac-1.15.2-50.el7_4.2.x86_64 python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch sssd-ipa-1.15.2-50.el7_4.2.x86_64 python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch libipa_hbac-1.15.2-50.el7_4.2.x86_64 python2-ipalib-4.5.0-21.el7.centos.1.2.noarch ipa-server-common-4.5.0-21.el7.centos.1.2.noarch --

There is an additional "symptom" present on the web UI - every visit to the login screen now gets two HTTP BASIC authentication pop-ups - typically we would just get one and dismiss it to proceed to normal logon. Not sure if that is at all relevant. Each popup appears in the apache error log as separate GSSAPI errors - shown below. Not a problem, just different.

-- [Mon Sep 18 14:09:07.974254 2017] [auth_gssapi:error] [pid 7810] [client 172.18.0.1:53298] NO AUTH DATA Client did not send any authentication headers, referer: https://pci-fram-ipa1.domain.net/ipa/ui/ [Mon Sep 18 14:09:09.712143 2017] [auth_gssapi:error] [pid 3101] [client 172.18.0.1:53304] NO AUTH DATA Client did not send any authentication headers, referer: https://pci-fram-ipa1.domain.net/ipa/ui/ --

Thanks,

Calllum