I've setup some new RHEL8 KDCs that will use the otp feature - I have
this working on RHEL7 without issues.

But on the RHEL8 hosts I'm getting "preauth (otp) verify failure:
Socket type not supported" errors.

Each KDC has a local radius server listening on the IPv6 loopback, so
the kdc.conf has this for the otp config:

[otp]
DEFAULT = {
server = localhost6:1812
secret = mysecret
strip_realm = true
}

Is there a way to debug the KDC process further to see why it doesn't
like that loopback without building a custom debug kdc ?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Looks like I get to answer my own question, FIPS mode breaks the
normal OTP setup in RHEL8:

https://bugzilla.redhat.com/show_bug.cgi?id=1872689

Bleah.

On Mon, Jan 9, 2023 at 11:15 PM BuzzSaw Code <buzzsaw.code@gmail.com> wrote:

I've setup some new RHEL8 KDCs that will use the otp feature - I have
this working on RHEL7 without issues.

But on the RHEL8 hosts I'm getting "preauth (otp) verify failure:
Socket type not supported" errors.

Each KDC has a local radius server listening on the IPv6 loopback, so
the kdc.conf has this for the otp config:

[otp]
DEFAULT = {
server = localhost6:1812
secret = mysecret
strip_realm = true
}

Is there a way to debug the KDC process further to see why it doesn't
like that loopback without building a custom debug kdc ?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)