Invalid 2FA

[panzerscope]

Hey guys,

I need some guidance. I am trying to enable 2FA on my TrueNas Scale. However, when I do this, using Google Authenticator, when I try to login with 2FA it states it is invalid. I know this can happen with time drift. I am confident Google Authenticator is correct and I can see it is synced with the time just fine, so that leaves my TrueNas server.

How do I go about checking the server time against my actual time to ensure the server has the correct time ?

Is there also a command to force TrueNas to sync up to one of the assigned NTP servers in my config ?

I have multiple NTP servers setup for my region (UK) as per below, so that is setup and ready to go.

I also saw this, with reference to Clock Drift, but will investigate that if all else fails.

Thanks in advance!
P

 

[Heracles]

Using Core over here but just try
ntpq -pn

That one will give you the info and Scale may well use the same tool.

Another option in Linux is
ntpdate -q your.time.ref

 

[panzerscope]

Using Core over here but just try
ntpq -pn

That one will give you the info and Scale may well use the same tool.

Another option in Linux is
ntpdate -q your.time.ref

Apparently those commands are not valid, at least not when I tried them in shell.

I also tried to restart my NTP service as per "service ntp restart" but I was met with an error

Anyone have any ideas ?

 

[Constantin]

More likely than not, your ISP may be limiting access to port 123 or NTP in general due to those services being exploited for DDNS or like attacks in the past.

I would invest in a home NTP server and be done with the issue. I happen to like the NTP200 and NTP250 series from Centerclick. For less than $200, you get a custom-made device that just works, the POE version is slightly more money. No drama, auto-update, easy-to-maintain (unlike RPi solutions in my limited experience).

 

[panzerscope]

More likely than not, your ISP may be limiting access to port 123 or NTP in general due to those services being exploited for DDNS or like attacks in the past.

I would invest in a home NTP server and be done with the issue. I happen to like the NTP200 and NTP250 series from Centerclick. For less than $200, you get a custom-made device that just works, the POE version is slightly more money. No drama, auto-update, easy-to-maintain (unlike RPi solutions in my limited experience).

That is an option, however my ISP is not blocking NTP as I can ping the time server just fine

I was more wondering why the NTP service itself is not starting on TrueNas

 

[Constantin]

That is an option, however my ISP is not blocking NTP as I can ping the time server just fine

I was more wondering why the NTP service itself is not starting on TrueNas

Careful, there is a difference between being able to ping a server and being able to reach it on port 123. As for NTP server on TrueNAS, that is indeed a curious issue. I would log into the console, disable 2FA until you can figure out why 2FA isn’t working.

 

[panzerscope]

Careful, there is a difference between being able to ping a server and being able to reach it on port 123. As for NTP server on TrueNAS, that is indeed a curious issue. I would log into the console, disable 2FA until you can figure out why 2FA isn’t working.

That is true,

I have checked my clock sync and I got the below, so things are looking good, I would imagine that the clock on my Truenas must be out in the value of seconds which is throwing things off still for 2FA.

The ntpd service is obviously not happy on my server because if I issue any ntpd related command in shell I get the following.

However curiously in the first screenshot it states the NTP service is active :/

I just need a way to force a new NTP sync/check that NTP is actually syncing.