Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański: > Hi, > after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for > our sudo configuration, while before it was optional, and we can’t find why > did it change. > We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being > optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, > all other configuration is the same. > > I looked through changelogs and skimmed through the list of commits, but I > couldn’t find anything obvious that should change this. Has anyone seen > something similar? Do you know if it’s a result of an intended change or some > side-effect of other changes? Or a bug? > > We are using IPA as Kerberos provider, users do have OTP set up. > Up to 2.9.1 sudoing worked either with only password or password+otp. > On 2.9.4 (and 2.9.5) sudoing is not working with only password, both > password+otp are required.
Hi, this might be related to https://github.com/SSSD/sssd/issues/7152 but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt? Thanks bye, Sumit > > I attach excerpts from logs, they are similar for both 2.9.1 and 2.9.4, with > one difference standing out: > On 2.9.1: > (2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): > [RID#729] Prompter interface isn't used for password prompts by SSSD. > On 2.9.4: > * (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] > (0x4000): [RID#38] Got question [otp]. > Although one is in loglines other in backtrace. > > Logs: > On 2.9.1: > > (2024-06-17 12:07:45): [be[realm]] [dp_pam_handler_send] (0x0100): Got > request with the following data > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): command: > SSS_PAM_AUTHENTICATE > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): domain: realm > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): user: > gsobanski@realm > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): service: sudo > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): rhost: > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 > (Password) > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): newauthtok > type: 0 (No authentication token available) > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): priv: 0 > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): cli_pid: 3400909 > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): logon name: not > set > (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): flags: 0 > [...] > (2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will > perform auth > (2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will > perform online auth > (2024-06-17 12:07:45): [krb5_child[3400913]] [get_and_save_tgt] (0x0400): > [RID#729] Attempting kinit for realm [realm] > (2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): > [RID#729] Prompter interface isn't used for password prompts by SSSD. > (2024-06-17 12:07:45): [krb5_child[3400913]] [validate_tgt] (0x0400): > [RID#729] TGT verified using key for [host/hostname@realm]. > (2024-06-17 12:07:45): [krb5_child[3400913]] [safe_remove_old_ccache_file] > (0x0400): [RID#729] New and old ccache file are the same, none will be > deleted. > (2024-06-17 12:07:45): [krb5_child[3400913]] [k5c_send_data] (0x0200): > [RID#729] Received error code 0 > (2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] > krb5_child completed successfully > > On 2.9.4: > > (2024-06-17 12:12:23): [be[realm]] [dp_pam_handler_send] (0x0100): Got > request with the following data > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): command: > SSS_PAM_AUTHENTICATE > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): domain: realm > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): user: > gsobanski@realm > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): service: sudo > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): rhost: > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 > (Password) > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): newauthtok > type: 0 (No authentication token available) > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): priv: 0 > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): cli_pid: 1757901 > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): logon name: not > set > (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): flags: 0 > [...] > (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will > perform auth > (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will > perform online auth > (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): > [RID#38] Attempting kinit for realm [realm] > (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): > [RID#38] 2367: [-1765328360][Preauthentication failed] > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING > BACKTRACE: > * (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] > krb5_child started. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x1000): > [RID#38] total buffer size: [179] > * (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): > [RID#38] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise > principal [false] offline [false] UPN [gsobanski@realm] > * (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): > [RID#38] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: > [FILE:/tmp/krb5cc_123456_3UVHOp] keytab: [/etc/krb5.keytab] > * (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): > [RID#38] Switch user to [123456][1002]. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): > [RID#38] Switch user to [0][0]. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_check_old_ccache] > (0x4000): [RID#38] Ccache_file is [FILE:/tmp/krb5cc_123456_3UVHOp] and is > active and TGT is valid. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_setup_fast] (0x0100): > [RID#38] Fast principal is set to [host/hostname@realm] > * (2024-06-17 12:12:23): [krb5_child[1757979]] [find_principal_in_keytab] > (0x4000): [RID#38] Trying to find principal host/hostname@realm in keytab. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [match_principal] > (0x1000): [RID#38] Principal matched to the sample (host/hostname@realm). > * (2024-06-17 12:12:23): [krb5_child[1757979]] [check_fast_ccache] > (0x0200): [RID#38] FAST TGT is still valid. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [become_user] (0x0200): > [RID#38] Trying to become user [123456][1002]. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x2000): [RID#38] > Running as [123456][1002]. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] > (0x0100): [RID#38] No specific renewable lifetime requested. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] > (0x0100): [RID#38] No specific lifetime requested. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [set_canonicalize_option] > (0x0100): [RID#38] Canonicalization is set to [true] > * (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] > Will perform auth > * (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] > Will perform online auth > * (2024-06-17 12:12:23): [krb5_child[1757979]] [tgt_req_child] (0x1000): > [RID#38] Attempting to get a TGT > * (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] > (0x0400): [RID#38] Attempting kinit for realm [realm] > * (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] > (0x4000): [RID#38] Got question [otp]. > * (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] > (0x0020): [RID#38] 2367: [-1765328360][Preauthentication failed] > ********************** BACKTRACE DUMP ENDS HERE > ********************************* > > (2024-06-17 12:12:23): [krb5_child[1757979]] [map_krb5_error] (0x0040): > [RID#38] 2496: [-1765328360][Preauthentication failed] > (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_send_data] (0x0200): > [RID#38] Received error code 1432158222 > (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] > krb5_child completed successfully > > Grzegorz Sobański > www.payu.com<http://www.payu.com/> > > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
