> Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański: > > Hi, > > after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for > > our sudo configuration, while before it was optional, and we can’t find why > > did it change. > > We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being > > optional, so we are sure it’s because sssd version change from > > 2.9.1->2.9.4, all other configuration is the same. > > > > I looked through changelogs and skimmed through the list of commits, but I > > couldn’t find anything obvious that should change this. Has anyone seen > > something similar? Do you know if it’s a result of an intended change or > > some side-effect of other changes? Or a bug? > > > > We are using IPA as Kerberos provider, users do have OTP set up. > > Up to 2.9.1 sudoing worked either with only password or password+otp. > > On 2.9.4 (and 2.9.5) sudoing is not working with only password, both > > password+otp are required. > > Hi, > > this might be related to https://github.com/SSSD/sssd/issues/7152but > this should be fixed in 2.9.5. Would it be possible to send full debug > logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] > section of sssd.conf covering a failed login attempt?
Hi, I attach full debug logs with level 9 from sssd 2.9.5. Bye, Grzegorz
sssd-2.9.5-log9-krb5child.log.anon
Description: sssd-2.9.5-log9-krb5child.log.anon
sssd-2.9.5-log9.log.anon
Description: sssd-2.9.5-log9.log.anon
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
