Am Mon, Jun 24, 2024 at 08:23:54AM +0000 schrieb Grzegorz Sobański:
Hi, Thanks for working on this. Could you please share a source diff for this change? We can’t use this private build - we will need to build it ourselves.
Hi,
please check https://github.com/sumit-bose/sssd/commit/464a7ec2793a82c83330cb3a10b114d1ca...
HTH
bye, Sumit
Regards,
Grzegorz www.payu.comhttp://www.payu.com/
From: Sumit Bose sbose@redhat.com Date: Friday, 21 June 2024 at 16:18 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: External : [SSSD-users] Re: 2FA is being enforced after upgrading 2.9.1->2.9.4 Attention: This email originated outside trusted domains.
Am Fri, Jun 21, 2024 at 11:47:54AM +0000 schrieb Grzegorz Sobański:
Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
Hi, after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change. We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up. Up to 2.9.1 sudoing worked either with only password or password+otp. On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
Hi,
this might be related to https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...https://github.com/SSSD/sssd/issues/7152but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt?
Hi, I attach full debug logs with level 9 from sssd 2.9.5.
Hi,
thanks for the logs, please find a test build which should fix the issue at https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsbose.fedo...https://sbose.fedorapeople.org/otp_password/sssd-2.9.4-6.el9_4.1sb1.tar.gz. Please let me know if it works for you or not.
If you don't mind it would be nice if you can open a ticket for this issue at https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...https://github.com/SSSD/sssd/issues/new.
Thanks.
bye, Sumit
Bye, Grzegorz
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor...https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj...https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%...https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor...https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj...https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%...https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 24/06/2024 13:15, Sumit Bose wrote:
Attention: This email originated outside trusted domains.
Am Mon, Jun 24, 2024 at 08:23:54AM +0000 schrieb Grzegorz Sobański:
Hi, Thanks for working on this. Could you please share a source diff for this change? We can’t use this private build - we will need to build it ourselves.
Hi,
please check https://github.com/sumit-bose/sssd/commit/464a7ec2793a82c83330cb3a10b114d1ca...
This patch do fix our issue, thanks.
I submitted a ticket as you asked: https://github.com/SSSD/sssd/issues/7456
bye, Grzegorz
Am Mon, Jun 24, 2024 at 03:55:50PM +0200 schrieb Grzegorz Sobanski:
On 24/06/2024 13:15, Sumit Bose wrote:
Attention: This email originated outside trusted domains.
Am Mon, Jun 24, 2024 at 08:23:54AM +0000 schrieb Grzegorz Sobański:
Hi, Thanks for working on this. Could you please share a source diff for this change? We can’t use this private build - we will need to build it ourselves.
Hi,
please check https://github.com/sumit-bose/sssd/commit/464a7ec2793a82c83330cb3a10b114d1ca...
This patch do fix our issue, thanks.
I submitted a ticket as you asked: https://github.com/SSSD/sssd/issues/7456
Hi,
thanks for the confirmation and the ticket. I have to check if the current patch does not cause any other regressions before making a pull-request out of it to get it included.
bye, Sumit
bye, Grzegorz -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 24/06/2024 16:54, Sumit Bose wrote:
Am Mon, Jun 24, 2024 at 03:55:50PM +0200 schrieb Grzegorz Sobanski:
On 24/06/2024 13:15, Sumit Bose wrote:
Attention: This email originated outside trusted domains.
Am Mon, Jun 24, 2024 at 08:23:54AM +0000 schrieb Grzegorz Sobański:
Hi, Thanks for working on this. Could you please share a source diff for this change? We can’t use this private build - we will need to build it ourselves.
Hi,
please check https://github.com/sumit-bose/sssd/commit/464a7ec2793a82c83330cb3a10b114d1ca...
This patch do fix our issue, thanks.
I submitted a ticket as you asked: https://github.com/SSSD/sssd/issues/7456
Hi,
thanks for the confirmation and the ticket. I have to check if the current patch does not cause any other regressions before making a pull-request out of it to get it included.
Hi, continuing discussion form ticket - I applied the change from master to 2.9.4 with patches from Rocky9.4. And while your first change from your private fork did fixed our issue, this patch unfortunately didn't.
As requested I attach logs from 2.9.4 from Rocky9.4 with the patch applied.
bye, Grzegorz
Am Thu, Jul 11, 2024 at 02:43:50PM +0200 schrieb Grzegorz Sobanski:
On 24/06/2024 16:54, Sumit Bose wrote:
Am Mon, Jun 24, 2024 at 03:55:50PM +0200 schrieb Grzegorz Sobanski:
On 24/06/2024 13:15, Sumit Bose wrote:
Attention: This email originated outside trusted domains.
Am Mon, Jun 24, 2024 at 08:23:54AM +0000 schrieb Grzegorz Sobański:
Hi, Thanks for working on this. Could you please share a source diff for this change? We can’t use this private build - we will need to build it ourselves.
Hi,
please check https://github.com/sumit-bose/sssd/commit/464a7ec2793a82c83330cb3a10b114d1ca...
This patch do fix our issue, thanks.
I submitted a ticket as you asked: https://github.com/SSSD/sssd/issues/7456
Hi,
thanks for the confirmation and the ticket. I have to check if the current patch does not cause any other regressions before making a pull-request out of it to get it included.
Hi, continuing discussion form ticket - I applied the change from master to 2.9.4 with patches from Rocky9.4. And while your first change from your private fork did fixed our issue, this patch unfortunately didn't.
As requested I attach logs from 2.9.4 from Rocky9.4 with the patch applied.
Hi,
thank you for the logs. Please try to add
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d43bd0f55..d1101e16c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi) ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c])); break; case PC_TYPE_2FA: - ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]), - pc_get_2fa_2nd_prompt(pi->pc[c])); + if (pi->password_prompting) { + ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]), + pc_get_2fa_2nd_prompt(pi->pc[c])); + } else { + ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]), + pc_get_2fa_2nd_prompt(pi->pc[c])); + } break; case PC_TYPE_2FA_SINGLE: ret = prompt_2fa_single(pamh, pi,
to your build and let me know if this fixes the issue for you.
bye, Sumit
bye, Grzegorz
==> /var/log/sssd/sssd_realm.log <== (2024-07-11 12:49:50): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the following data (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): domain: realm (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): service: sudo (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): rhost: (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): authtok type: 0 (No authentication token available) (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): priv: 0 (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): cli_pid: 2109271 (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): logon name: not set (2024-07-11 12:49:50): [be[realm]] [pam_print_data] (0x0100): flags: 0 (2024-07-11 12:49:50): [be[realm]] [dp_attach_req] (0x0400): [RID#5] DP Request [PAM Preauth #5]: REQ_TRACE: New request. [sssd.pam CID #2] Flags [0000]. (2024-07-11 12:49:50): [be[realm]] [dp_attach_req] (0x0400): [RID#5] Number of active DP request: 1 (2024-07-11 12:49:50): [be[realm]] [fo_resolve_service_send] (0x0100): [RID#5] Trying to resolve service 'IPA' (2024-07-11 12:49:50): [be[realm]] [be_resolve_server_process] (0x0200): [RID#5] Found address for server ipaserver: [V.X.Y.Z] TTL 2652 (2024-07-11 12:49:50): [be[realm]] [_write_pipe_handler] (0x0400): [RID#5] All data has been sent! (2024-07-11 12:49:50): [be[realm]] [_read_pipe_handler] (0x0400): [RID#5] All data received (2024-07-11 12:49:50): [be[realm]] [fo_set_port_status] (0x0100): [RID#5] Marking port 0 of server 'ipaserver' as 'working' (2024-07-11 12:49:50): [be[realm]] [set_server_common_status] (0x0100): [RID#5] Marking server 'ipaserver' as 'working' (2024-07-11 12:49:50): [be[realm]] [fo_set_port_status] (0x0400): [RID#5] Marking port 0 of duplicate server 'ipaserver' as 'working' (2024-07-11 12:49:50): [be[realm]] [dp_req_done] (0x0400): [RID#5] DP Request [PAM Preauth #5]: Request handler finished [0]: Success (2024-07-11 12:49:50): [be[realm]] [_dp_req_recv] (0x0400): [RID#5] DP Request [PAM Preauth #5]: Receiving request data. (2024-07-11 12:49:50): [be[realm]] [dp_req_destructor] (0x0400): [RID#5] DP Request [PAM Preauth #5]: Request removed. (2024-07-11 12:49:50): [be[realm]] [dp_req_destructor] (0x0400): [RID#5] Number of active DP request: 0 (2024-07-11 12:49:50): [be[realm]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (2024-07-11 12:49:50): [be[realm]] [child_sig_handler] (0x0100): [RID#5] child [2109273] finished successfully. (2024-07-11 12:49:53): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the following data (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): domain: realm (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): service: sudo (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): rhost: (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): authtok type: 6 (Two factors in a single string) (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): priv: 0 (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): cli_pid: 2109271 (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): logon name: not set (2024-07-11 12:49:53): [be[realm]] [pam_print_data] (0x0100): flags: 0 (2024-07-11 12:49:53): [be[realm]] [dp_attach_req] (0x0400): [RID#6] DP Request [PAM Authenticate #6]: REQ_TRACE: New request. [sssd.pam CID #2] Flags [0000]. (2024-07-11 12:49:53): [be[realm]] [dp_attach_req] (0x0400): [RID#6] Number of active DP request: 1 (2024-07-11 12:49:53): [be[realm]] [fo_resolve_service_send] (0x0100): [RID#6] Trying to resolve service 'IPA' (2024-07-11 12:49:53): [be[realm]] [be_resolve_server_process] (0x0200): [RID#6] Found address for server ipaserver: [V.X.Y.Z] TTL 2652 (2024-07-11 12:49:53): [be[realm]] [ipa_resolve_callback] (0x0400): [RID#6] Constructed uri 'ldap://ipaserver' (2024-07-11 12:49:53): [be[realm]] [_write_pipe_handler] (0x0400): [RID#6] All data has been sent! (2024-07-11 12:49:53): [be[realm]] [_read_pipe_handler] (0x0400): [RID#6] All data received (2024-07-11 12:49:53): [be[realm]] [sdap_get_generic_ext_step] (0x0400): [RID#6] calling ldap_search_ext with [(&(cn=ipaConfig)(objectClass=ipaGuiConfig))][cn=etc,dc=...]. (2024-07-11 12:49:53): [be[realm]] [sdap_get_generic_op_finished] (0x0400): [RID#6] Search result: Success(0), no errmsg set (2024-07-11 12:49:53): [be[realm]] [dp_req_done] (0x0400): [RID#6] DP Request [PAM Authenticate #6]: Request handler finished [0]: Success (2024-07-11 12:49:53): [be[realm]] [_dp_req_recv] (0x0400): [RID#6] DP Request [PAM Authenticate #6]: Receiving request data. (2024-07-11 12:49:53): [be[realm]] [dp_req_destructor] (0x0400): [RID#6] DP Request [PAM Authenticate #6]: Request removed. (2024-07-11 12:49:53): [be[realm]] [dp_req_destructor] (0x0400): [RID#6] Number of active DP request: 0 (2024-07-11 12:49:53): [be[realm]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (2024-07-11 12:49:53): [be[realm]] [child_sig_handler] (0x0100): [RID#6] child [2109421] finished successfully. (2024-07-11 12:49:55): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the following data (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): domain: realm (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): service: sudo (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): rhost: (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): authtok type: 0 (No authentication token available) (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): priv: 0 (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): cli_pid: 2109271 (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): logon name: not set (2024-07-11 12:49:55): [be[realm]] [pam_print_data] (0x0100): flags: 0 (2024-07-11 12:49:55): [be[realm]] [dp_attach_req] (0x0400): [RID#7] DP Request [PAM Preauth #7]: REQ_TRACE: New request. [sssd.pam CID #2] Flags [0000]. (2024-07-11 12:49:55): [be[realm]] [dp_attach_req] (0x0400): [RID#7] Number of active DP request: 1 (2024-07-11 12:49:55): [be[realm]] [fo_resolve_service_send] (0x0100): [RID#7] Trying to resolve service 'IPA' (2024-07-11 12:49:55): [be[realm]] [be_resolve_server_process] (0x0200): [RID#7] Found address for server ipaserver: [V.X.Y.Z] TTL 2652 (2024-07-11 12:49:55): [be[realm]] [_write_pipe_handler] (0x0400): [RID#7] All data has been sent! (2024-07-11 12:49:55): [be[realm]] [_read_pipe_handler] (0x0400): [RID#7] All data received (2024-07-11 12:49:55): [be[realm]] [fo_set_port_status] (0x0100): [RID#7] Marking port 0 of server 'ipaserver' as 'working' (2024-07-11 12:49:55): [be[realm]] [set_server_common_status] (0x0100): [RID#7] Marking server 'ipaserver' as 'working' (2024-07-11 12:49:55): [be[realm]] [fo_set_port_status] (0x0400): [RID#7] Marking port 0 of duplicate server 'ipaserver' as 'working' (2024-07-11 12:49:55): [be[realm]] [dp_req_done] (0x0400): [RID#7] DP Request [PAM Preauth #7]: Request handler finished [0]: Success (2024-07-11 12:49:55): [be[realm]] [_dp_req_recv] (0x0400): [RID#7] DP Request [PAM Preauth #7]: Receiving request data. (2024-07-11 12:49:55): [be[realm]] [dp_req_destructor] (0x0400): [RID#7] DP Request [PAM Preauth #7]: Request removed. (2024-07-11 12:49:55): [be[realm]] [dp_req_destructor] (0x0400): [RID#7] Number of active DP request: 0 (2024-07-11 12:49:55): [be[realm]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (2024-07-11 12:49:55): [be[realm]] [child_sig_handler] (0x0100): [RID#7] child [2109427] finished successfully.
==> /var/log/sssd/krb5_child.log <== (2024-07-11 12:49:50): [krb5_child[2109273]] [main] (0x0400): [RID#5] krb5_child started. (2024-07-11 12:49:50): [krb5_child[2109273]] [unpack_buffer] (0x0100): [RID#5] cmd [249 (pre-auth)] uid [123456] gid [1002] validate [true] enterprise principal [false] offline [false] UPN [gsobanski@REALM] (2024-07-11 12:49:50): [krb5_child[2109273]] [unpack_buffer] (0x0100): [RID#5] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab] (2024-07-11 12:49:50): [krb5_child[2109273]] [k5c_setup_fast] (0x0100): [RID#5] Fast principal is set to [host/hostname@REALM] (2024-07-11 12:49:50): [krb5_child[2109273]] [check_fast_ccache] (0x0200): [RID#5] FAST TGT is still valid. (2024-07-11 12:49:50): [krb5_child[2109273]] [become_user] (0x0200): [RID#5] Trying to become user [123456][1002]. (2024-07-11 12:49:50): [krb5_child[2109273]] [set_lifetime_options] (0x0100): [RID#5] No specific renewable lifetime requested. (2024-07-11 12:49:50): [krb5_child[2109273]] [set_lifetime_options] (0x0100): [RID#5] No specific lifetime requested. (2024-07-11 12:49:50): [krb5_child[2109273]] [set_canonicalize_option] (0x0100): [RID#5] Canonicalization is set to [true] (2024-07-11 12:49:50): [krb5_child[2109273]] [main] (0x0400): [RID#5] Will perform pre-auth (2024-07-11 12:49:50): [krb5_child[2109273]] [get_and_save_tgt] (0x0400): [RID#5] Attempting kinit for realm [REALM] (2024-07-11 12:49:50): [krb5_child[2109273]] [sss_krb5_prompter] (0x0200): [RID#5] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password]. (2024-07-11 12:49:50): [krb5_child[2109273]] [sss_krb5_prompter] (0x0200): [RID#5] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password]. (2024-07-11 12:49:50): [krb5_child[2109273]] [get_and_save_tgt] (0x0400): [RID#5] krb5_get_init_creds_password returned [-1765328174] during pre-auth. (2024-07-11 12:49:50): [krb5_child[2109273]] [k5c_send_data] (0x0200): [RID#5] Received error code 0 (2024-07-11 12:49:50): [krb5_child[2109273]] [main] (0x0400): [RID#5] krb5_child completed successfully (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] krb5_child started. (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100): [RID#6] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise principal [false] offline [false] UPN [gsobanski@REALM] (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100): [RID#6] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab] (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200): [RID#6] Switch user to [123456][1002]. (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200): [RID#6] Switch user to [0][0]. (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_setup_fast] (0x0100): [RID#6] Fast principal is set to [host/hostname@REALM] (2024-07-11 12:49:53): [krb5_child[2109421]] [check_fast_ccache] (0x0200): [RID#6] FAST TGT is still valid. (2024-07-11 12:49:53): [krb5_child[2109421]] [become_user] (0x0200): [RID#6] Trying to become user [123456][1002]. (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options] (0x0100): [RID#6] No specific renewable lifetime requested. (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options] (0x0100): [RID#6] No specific lifetime requested. (2024-07-11 12:49:53): [krb5_child[2109421]] [set_canonicalize_option] (0x0100): [RID#6] Canonicalization is set to [true] (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] Will perform auth (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] Will perform online auth (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt] (0x0400): [RID#6] Attempting kinit for realm [REALM] (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt] (0x0020): [RID#6] 2341: [-1765328360][Preauthentication failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] krb5_child started.
- (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x1000): [RID#6] total buffer size: [179]
- (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100): [RID#6] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise principal [false] offline [false] UPN [gsobanski@REALM]
- (2024-07-11 12:49:53): [krb5_child[2109421]] [unpack_buffer] (0x0100): [RID#6] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab]
- (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200): [RID#6] Switch user to [123456][1002].
- (2024-07-11 12:49:53): [krb5_child[2109421]] [switch_creds] (0x0200): [RID#6] Switch user to [0][0].
- (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_check_old_ccache] (0x4000): [RID#6] Ccache_file is [FILE:/tmp/krb5cc_123456_cKvOjo] and is active and TGT is valid.
- (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_setup_fast] (0x0100): [RID#6] Fast principal is set to [host/hostname@REALM]
- (2024-07-11 12:49:53): [krb5_child[2109421]] [find_principal_in_keytab] (0x4000): [RID#6] Trying to find principal host/hostname@REALM in keytab.
- (2024-07-11 12:49:53): [krb5_child[2109421]] [match_principal] (0x1000): [RID#6] Principal matched to the sample (host/hostname@REALM).
- (2024-07-11 12:49:53): [krb5_child[2109421]] [check_fast_ccache] (0x0200): [RID#6] FAST TGT is still valid.
- (2024-07-11 12:49:53): [krb5_child[2109421]] [become_user] (0x0200): [RID#6] Trying to become user [123456][1002].
- (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x2000): [RID#6] Running as [123456][1002].
- (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options] (0x0100): [RID#6] No specific renewable lifetime requested.
- (2024-07-11 12:49:53): [krb5_child[2109421]] [set_lifetime_options] (0x0100): [RID#6] No specific lifetime requested.
- (2024-07-11 12:49:53): [krb5_child[2109421]] [set_canonicalize_option] (0x0100): [RID#6] Canonicalization is set to [true]
- (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] Will perform auth
- (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] Will perform online auth
- (2024-07-11 12:49:53): [krb5_child[2109421]] [tgt_req_child] (0x1000): [RID#6] Attempting to get a TGT
- (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt] (0x0400): [RID#6] Attempting kinit for realm [REALM]
- (2024-07-11 12:49:53): [krb5_child[2109421]] [sss_krb5_responder] (0x4000): [RID#6] Got question [otp].
- (2024-07-11 12:49:53): [krb5_child[2109421]] [get_and_save_tgt] (0x0020): [RID#6] 2341: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-07-11 12:49:53): [krb5_child[2109421]] [map_krb5_error] (0x0020): [RID#6] 2470: [-1765328360][Preauthentication failed] (2024-07-11 12:49:53): [krb5_child[2109421]] [k5c_send_data] (0x0200): [RID#6] Received error code 1432158222 (2024-07-11 12:49:53): [krb5_child[2109421]] [main] (0x0400): [RID#6] krb5_child completed successfully (2024-07-11 12:49:55): [krb5_child[2109427]] [main] (0x0400): [RID#7] krb5_child started. (2024-07-11 12:49:55): [krb5_child[2109427]] [unpack_buffer] (0x0100): [RID#7] cmd [249 (pre-auth)] uid [123456] gid [1002] validate [true] enterprise principal [false] offline [false] UPN [gsobanski@REALM] (2024-07-11 12:49:55): [krb5_child[2109427]] [unpack_buffer] (0x0100): [RID#7] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_123456_cKvOjo] keytab: [/etc/krb5.keytab] (2024-07-11 12:49:55): [krb5_child[2109427]] [k5c_setup_fast] (0x0100): [RID#7] Fast principal is set to [host/hostname@REALM] (2024-07-11 12:49:55): [krb5_child[2109427]] [check_fast_ccache] (0x0200): [RID#7] FAST TGT is still valid. (2024-07-11 12:49:55): [krb5_child[2109427]] [become_user] (0x0200): [RID#7] Trying to become user [123456][1002]. (2024-07-11 12:49:55): [krb5_child[2109427]] [set_lifetime_options] (0x0100): [RID#7] No specific renewable lifetime requested. (2024-07-11 12:49:55): [krb5_child[2109427]] [set_lifetime_options] (0x0100): [RID#7] No specific lifetime requested. (2024-07-11 12:49:55): [krb5_child[2109427]] [set_canonicalize_option] (0x0100): [RID#7] Canonicalization is set to [true] (2024-07-11 12:49:55): [krb5_child[2109427]] [main] (0x0400): [RID#7] Will perform pre-auth (2024-07-11 12:49:55): [krb5_child[2109427]] [get_and_save_tgt] (0x0400): [RID#7] Attempting kinit for realm [REALM] (2024-07-11 12:49:55): [krb5_child[2109427]] [sss_krb5_prompter] (0x0200): [RID#7] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password]. (2024-07-11 12:49:55): [krb5_child[2109427]] [sss_krb5_prompter] (0x0200): [RID#7] Prompter interface isn't used for prompting by SSSD.Returning the expected error [-1765328254/Cannot read password]. (2024-07-11 12:49:55): [krb5_child[2109427]] [get_and_save_tgt] (0x0400): [RID#7] krb5_get_init_creds_password returned [-1765328174] during pre-auth. (2024-07-11 12:49:55): [krb5_child[2109427]] [k5c_send_data] (0x0200): [RID#7] Received error code 0 (2024-07-11 12:49:55): [krb5_child[2109427]] [main] (0x0400): [RID#7] krb5_child completed successfully
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 11/07/2024 16:30, Sumit Bose wrote:
Am Thu, Jul 11, 2024 at 02:43:50PM +0200 schrieb Grzegorz Sobanski:
Hi, continuing discussion form ticket - I applied the change from master to 2.9.4 with patches from Rocky9.4. And while your first change from your private fork did fixed our issue, this patch unfortunately didn't.
As requested I attach logs from 2.9.4 from Rocky9.4 with the patch applied.
Hi,
thank you for the logs. Please try to add
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d43bd0f55..d1101e16c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi) ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c])); break; case PC_TYPE_2FA:
ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),pc_get_2fa_2nd_prompt(pi->pc[c]));
if (pi->password_prompting) {ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]),pc_get_2fa_2nd_prompt(pi->pc[c]));} else {ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),pc_get_2fa_2nd_prompt(pi->pc[c]));} break; case PC_TYPE_2FA_SINGLE: ret = prompt_2fa_single(pamh, pi,to your build and let me know if this fixes the issue for you.
Hi, yes, this patch fixes the issue. Thanks!
If you would like me to test anything more, it will have to wait 2 weeks, as I'm going on vacations.
Cheers, Grzegorz
Am Fri, Jul 12, 2024 at 12:20:57PM +0200 schrieb Grzegorz Sobanski:
On 11/07/2024 16:30, Sumit Bose wrote:
Am Thu, Jul 11, 2024 at 02:43:50PM +0200 schrieb Grzegorz Sobanski:
Hi, continuing discussion form ticket - I applied the change from master to 2.9.4 with patches from Rocky9.4. And while your first change from your private fork did fixed our issue, this patch unfortunately didn't.
As requested I attach logs from 2.9.4 from Rocky9.4 with the patch applied.
Hi,
thank you for the logs. Please try to add
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index d43bd0f55..d1101e16c 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2505,8 +2505,13 @@ static int prompt_by_config(pam_handle_t *pamh, struct pam_items *pi) ret = prompt_password(pamh, pi, pc_get_password_prompt(pi->pc[c])); break; case PC_TYPE_2FA:
ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),pc_get_2fa_2nd_prompt(pi->pc[c]));
if (pi->password_prompting) {ret = prompt_2fa(pamh, pi, true, pc_get_2fa_1st_prompt(pi->pc[c]),pc_get_2fa_2nd_prompt(pi->pc[c]));} else {ret = prompt_2fa(pamh, pi, false, pc_get_2fa_1st_prompt(pi->pc[c]),pc_get_2fa_2nd_prompt(pi->pc[c]));} break; case PC_TYPE_2FA_SINGLE: ret = prompt_2fa_single(pamh, pi,to your build and let me know if this fixes the issue for you.
Hi, yes, this patch fixes the issue. Thanks!
Hi,
thank you for testing, I opened https://github.com/SSSD/sssd/pull/7492 with the fix.
If you would like me to test anything more, it will have to wait 2 weeks, as I'm going on vacations.
As long as you don't find any new issues I won't need anything more :-).
bye, Sumit
Cheers, Grzegorz -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org
-
Grzegorz Sobanski -
Sumit Bose