Am Fri, Jun 21, 2024 at 11:47:54AM +0000 schrieb Grzegorz Sobański: > > Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański: > > > Hi, > > > after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA > > > for our sudo configuration, while before it was optional, and we can’t > > > find why did it change. > > > We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to > > > being optional, so we are sure it’s because sssd version change from > > > 2.9.1->2.9.4, all other configuration is the same. > > > > > > I looked through changelogs and skimmed through the list of commits, but > > > I couldn’t find anything obvious that should change this. Has anyone seen > > > something similar? Do you know if it’s a result of an intended change or > > > some side-effect of other changes? Or a bug? > > > > > > We are using IPA as Kerberos provider, users do have OTP set up. > > > Up to 2.9.1 sudoing worked either with only password or password+otp. > > > On 2.9.4 (and 2.9.5) sudoing is not working with only password, both > > > password+otp are required. > > > > Hi, > > > > this might be related to https://github.com/SSSD/sssd/issues/7152but > > this should be fixed in 2.9.5. Would it be possible to send full debug > > logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] > > section of sssd.conf covering a failed login attempt? > > Hi, > I attach full debug logs with level 9 from sssd 2.9.5.
Hi, thanks for the logs, please find a test build which should fix the issue at https://sbose.fedorapeople.org/otp_password/sssd-2.9.4-6.el9_4.1sb1.tar.gz. Please let me know if it works for you or not. If you don't mind it would be nice if you can open a ticket for this issue at https://github.com/SSSD/sssd/issues/new. Thanks. bye, Sumit > > Bye, > Grzegorz > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
