From: Sumit Bose <sbose@redhat.com>
Date: Friday, 21 June 2024 at 16:18
To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org>
Subject: External : [SSSD-users] Re: 2FA is being enforced after upgrading 2.9.1->2.9.4

Attention: This email originated outside trusted domains.


Am Fri, Jun 21, 2024 at 11:47:54AM +0000 schrieb Grzegorz Sobański:
> > Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
> > > Hi,
> > > after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change.
> > > We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
> > >
> > > I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
> > >
> > > We are using IPA as Kerberos provider, users do have OTP set up.
> > > Up to 2.9.1 sudoing worked either with only password or password+otp.
> > > On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
> >
> > Hi,
> >
> > this might be related to https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSSSD%2Fsssd%2Fissues%2F7152but&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106428680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=s5I%2FbSkEg9Qd8C51y7TVUDPgs9itKPCSzCsP6BCmbvY%3D&reserved=0
> > this should be fixed in 2.9.5. Would it be possible to send full debug
> > logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...]
> > section of sssd.conf covering a failed login attempt?
>
> Hi,
> I attach full debug logs with level 9 from sssd 2.9.5.

Hi,

thanks for the logs, please find a test build which should fix the issue
at
https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsbose.fedorapeople.org%2Fotp_password%2Fsssd-2.9.4-6.el9_4.1sb1.tar.gz&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106439313%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=KC5k8HALKVWVf7hsEcUZsuhRSkgQJxXyV0C%2BgbnOkFQ%3D&reserved=0.
Please let me know if it works for you or not.

If you don't mind it would be nice if you can open a ticket for this
issue at https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FSSSD%2Fsssd%2Fissues%2Fnew&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106445800%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6OoGSvFphda4nKzwwibj8sOgXeoZoqQjxot7QmjPr%2F8%3D&reserved=0.

Thanks.

bye,
Sumit

>
> Bye,
> Grzegorz



> --
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106451504%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mLizMMH3K5d%2BeyisWiFfvloCWeue5OX%2BgET6y0qbwho%3D&reserved=0
> List Guidelines: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106456251%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MeiVkmAke2%2Ffb2oz%2F10ne%2BosK4KPd%2Bhf3F5iW%2B6naiQ%3D&reserved=0
> List Archives: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106460843%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=9rQyI3ojU9v8oc7nidjwX858zDeu%2F0TZmYFoSJIhxjA%3D&reserved=0
> Do not reply to spam, report it: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure%2Fnew_issue&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106465039%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=cZygUhEXj%2B72qxN%2FYvWvFTFyh5w4zttsnd5oLmJhq%2Fg%3D&reserved=0
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106469028%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=qBIC1QxW1JJXbrJwO5ot9zuRygkAJ1bhR778E31kiy8%3D&reserved=0
List Guidelines: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106473154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=W8F%2F4Ib8fZG49ot2CsjoEGlhia0CZ%2BdEtmno2IjQ9p0%3D&reserved=0
List Archives: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106477080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=kD8So0NjBG2dFOrC2P7hi9Zp39eBInBu316WuUAEMo4%3D&reserved=0
Do not reply to spam, report it: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure%2Fnew_issue&data=05%7C02%7Cgrzegorz.sobanski%40payu.com%7C49e503af8f9d42ff594008dc91fd054f%7C674203d44c704e82b36bec018d680a26%7C1%7C1%7C638545763106481123%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=3VHT7xwXEgXSpmiWBg2OL25GAZ323VatPykgyewA3dE%3D&reserved=0