[39165] in Kerberos
Re: "Socket type not supported" with OTP
daemon@ATHENA.MIT.EDU (BuzzSaw Code)
Wed Jan 11 12:31:33 2023
MIME-Version: 1.0
In-Reply-To: <CAJhaRZ+tk-We5sLHzbiROwpBAty3jznONphXQt5dksALfDRuxg@mail.gmail.com>
From: BuzzSaw Code <buzzsaw.code@gmail.com>
Date: Wed, 11 Jan 2023 12:25:51 -0500
Message-ID: <CAJhaRZJBfhgX1puuDnj6MiRJ27oM9atmDGcst4U+ivoaToz=Lg@mail.gmail.com>
To: Kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Looks like I get to answer my own question, FIPS mode breaks the
normal OTP setup in RHEL8:
https://bugzilla.redhat.com/show_bug.cgi?id=1872689
Bleah.
On Mon, Jan 9, 2023 at 11:15 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:
>
> I've setup some new RHEL8 KDCs that will use the otp feature - I have
> this working on RHEL7 without issues.
>
> But on the RHEL8 hosts I'm getting "preauth (otp) verify failure:
> Socket type not supported" errors.
>
> Each KDC has a local radius server listening on the IPv6 loopback, so
> the kdc.conf has this for the otp config:
>
> [otp]
> DEFAULT = {
> server = localhost6:1812
> secret = mysecret
> strip_realm = true
> }
>
> Is there a way to debug the KDC process further to see why it doesn't
> like that loopback without building a custom debug kdc ?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
