As per below scenario trying to enable 2FA but no luck , please let me know if any one faced this kind of issue and how it was resolved
I'm trying to enable 2FA authentication only in 2 hosts out-of 5 hosts
test case 1 ) I have enabled 2FA in global configuration of FREEIPA but is working on all 5hosts test case 2) Disabled 2FA in Global configuration of freeipa and enabled OTP indicator only 2 hosts but OTP mechanism doesn't working
On ke, 13 touko 2020, Dhinakaran M via FreeIPA-users wrote:
As per below scenario trying to enable 2FA but no luck , please let me know if any one faced this kind of issue and how it was resolved
I'm trying to enable 2FA authentication only in 2 hosts out-of 5 hosts
test case 1 ) I have enabled 2FA in global configuration of FREEIPA but is working on all 5hosts
test case 2) Disabled 2FA in Global configuration of freeipa and enabled OTP indicator only 2 hosts but OTP mechanism doesn't working
You are mixing up different things: ability to associate authentication indicators with different preauthentication types and ability to enforce certain authentication indicators for requests of service tickets.
Global setting must be enabled to allow processing of 2FA for users. Then OTP pre-auth would be allowed and those users who have associated tokens will be allowed to use them. This use is at the time when you obtain a ticket granting ticket, roughly corresponding to 'kinit' operation. This is a phase which can be done from any host, even not enrolled into IPA.
SSSD on enrolled hosts does detect which pre-authentication types KDC may advertise for a TGT request and may ask a user to provide OTP details. Again, this is orthogonal to actual enforcement of authentication indicators during TGS request processing.
Please see https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
freeipa-users@lists.fedorahosted.org