Yes, happy to provide pam configurations from Ubuntu and Rocky examples. I only know how to reproduce with FreeIPA at the moment, but i would imagine any other sssd backends that invoke a custom credential prompt (2fa, security key etc) would behave the same. I will see if i can find any other clues like ordering of events in auth.log.
Thanks! David On Fri, 27 Mar 2026, 18:55 Andreas Hasenack, <[email protected]> wrote: > We don't have freeipa available in ubuntu to try to replicate this > behavior, so we will need help here. > > Does this bug need FreeIPA to be reproduced, or can you come up with a > simpler case, perhaps involving just openldap as the server, and a MIT > kerberos KDC? And can you share the configuration in /etc/sssd/* and > /etc/pam.d/* that leads to this behavior? > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/2146581 > > Title: > Using SSS authentication with TOTP prompts requires disabling Unix > authentication > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2146581/+subscriptions > > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146581 Title: Using SSS authentication with TOTP prompts requires disabling Unix authentication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2146581/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
