[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] FreeIPA OTP End-to-End



Alexander Bokovoy wrote:
> What does not yet work is end-to-end kinit without armoured ccache.
> This also is the case for PAM-based logins through SSSD.
This one is fixed now. There was a bug in SSSD's processing of a response
from a krb5_child process in case FAST is activated -- SSS_OTP message was the last
one returned and SSSD erroneously thought it is a malformed packet.  

I now have 2FA logons working with PAM-based apps (including SSH) using following
configuration in sssd.conf:
----------------------------------
[domain/`domain`]
....
krb5_use_fast = try
krb5_fast_principal = host/`hostname`
....
----------------------------------

Patch for https://fedorahosted.org/sssd/ticket/2186 is on the SSSD development list.
-- 
/ Alexander Bokovoy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]