The nightly tests related to OTP are failing in rawhide, see PR #586: - test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp (report) - multiple tests in test_otp.py::TestOTPToken (report).
test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp
test_otp.py::TestOTPToken
They all fail when trying OTP authentication:
# kinit -n -c /path/to/armor_cache # kinit -T /path/to/armor_cache otpuser Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials
and the following error is logged in krb5kdc.log:
master.ipa.test krb5kdc[31025](info): preauth (otp) verify failure: No such file or directory
By using strace on krb5kdc daemon, we can see that the daemon wants to communicate with ipa-otpd using the unix socket /var/kerberos/run/krb5kdc/DEFAULT.socket, but ipa-otpd is listening on /var/run/krb5kdc/DEFAULT.socket as set in its unit file:
/var/kerberos/run/krb5kdc/DEFAULT.socket
/var/run/krb5kdc/DEFAULT.socket
# cat /usr/lib/systemd/system/ipa-otpd.socket [Unit] Description=ipa-otpd socket [Socket] ListenStream=/var/run/krb5kdc/DEFAULT.socket RemoveOnStop=true SocketMode=0600 Accept=true [Install] WantedBy=krb5kdc.service
@rharwood do you know if something changed recently that could explain this new failure? The issue happens with krb5-server-1.18.3-4.fc34.x86_64 but not with krb5-server-1.18.2-29.fc32.x86_64.
systemd folks mandated I migrate from hardcoding /var/run to hardcoding /run despite one being a symlink to the other. Unfortunately configuration of this is tricky and I got it slightly wrong. Fix forthcoming.
Do we need to modify the path on ipa-otpd side too?
ipa-otpd
No change from freeipa should be needed.
Fixed-in: krb5-1.18.3-5.fc34. https://koji.fedoraproject.org/koji/taskinfo?taskID=57583849
Issue can be closed, the latest rawhide run was green: PR #649 with the following report, using krb5-server-1.19-0.beta2.1.fc34.x86_64. Fedora 32 and fedora 33 are still shipping krb5-1.18.2-29 which doesn't have the regression.
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.