On ke, 13 touko 2020, Dhinakaran M via FreeIPA-users wrote:
As per below scenario trying to enable 2FA but no luck , please let
me
know if any one faced this kind of issue and how it was resolved
I'm trying to enable 2FA authentication only in 2 hosts out-of 5 hosts
test case 1 ) I have enabled 2FA in global configuration of FREEIPA
but is working on all 5hosts
test case 2) Disabled 2FA in Global configuration of freeipa and
enabled OTP indicator only 2 hosts but OTP mechanism doesn't working
You are mixing up different things: ability to associate authentication
indicators with different preauthentication types and ability to enforce
certain authentication indicators for requests of service tickets.
Global setting must be enabled to allow processing of 2FA for users.
Then OTP pre-auth would be allowed and those users who have associated
tokens will be allowed to use them. This use is at the time when you
obtain a ticket granting ticket, roughly corresponding to 'kinit'
operation. This is a phase which can be done from any host, even not
enrolled into IPA.
SSSD on enrolled hosts does detect which pre-authentication types KDC
may advertise for a TGT request and may ask a user to provide OTP
details. Again, this is orthogonal to actual enforcement of
authentication indicators during TGS request processing.
Please see
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland