Hi,
All 2FA enabled users are now required to use 2FA after our EL9 clients we’re updated to EL 9.4.
Downgrading sssd from sssd-2.9.4-6.el9_4.x86_64 to sssd-2.9.4-2.el9.x86_64 fixes the issue, so the error happened between there two releases somehow.
No "Authentication indicators” has been configured for the hosts in question. It is reproducable across all our EL9 machines.
In the krb5_child.log the following backtrace is logged when a 2FA enabled user tries to use sudo. This backtrace does not happen on EL9 client where sssd has been downgraded.
==> krb5_child.log <== (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] cmd [241 (auth)] uid [693200437] gid [693200437] validate [true] enterprise principal [true] offline [false] UPN [ipausername@IPADOMAIN.NET] (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [693200437][693200437]. (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [0][0]. (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_setup_fast] (0x0100): [RID#1047] Fast principal is set to [host/host.domain.net@IPADOMAIN.NET] (2024-05-27 20:07:57): [krb5_child[478251]] [check_fast_ccache] (0x0200): [RID#1047] FAST TGT is still valid. (2024-05-27 20:07:57): [krb5_child[478251]] [become_user] (0x0200): [RID#1047] Trying to become user [693200437][693200437]. (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific renewable lifetime requested. (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific lifetime requested. (2024-05-27 20:07:57): [krb5_child[478251]] [set_canonicalize_option] (0x0100): [RID#1047] Canonicalization is set to [true] (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0020): [RID#1047] 2350: [-1765328360][Preauthentication failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] krb5_child started. * (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x1000): [RID#1047] total buffer size: [115] * (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] cmd [241 (auth)] uid [693200437] gid [693200437] validate [true] enterprise principal [true] offline [false] UPN [ipausername@IPADOMAIN.NET] * (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] * (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [693200437][693200437]. * (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [0][0]. * (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_check_old_ccache] (0x4000): [RID#1047] Ccache_file is [KCM:] and is active and TGT is valid. * (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_setup_fast] (0x0100): [RID#1047] Fast principal is set to [host/host.domain.net@IPADOMAIN.NET] * (2024-05-27 20:07:57): [krb5_child[478251]] [find_principal_in_keytab] (0x4000): [RID#1047] Trying to find principal host/host.domain.net@IPADOMAIN.NET in keytab. * (2024-05-27 20:07:57): [krb5_child[478251]] [match_principal] (0x1000): [RID#1047] Principal matched to the sample (host/host.domain.net@IPADOMAIN.NET). * (2024-05-27 20:07:57): [krb5_child[478251]] [check_fast_ccache] (0x0200): [RID#1047] FAST TGT is still valid. * (2024-05-27 20:07:57): [krb5_child[478251]] [become_user] (0x0200): [RID#1047] Trying to become user [693200437][693200437]. * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x2000): [RID#1047] Running as [693200437][693200437]. * (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific renewable lifetime requested. * (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific lifetime requested. * (2024-05-27 20:07:57): [krb5_child[478251]] [set_canonicalize_option] (0x0100): [RID#1047] Canonicalization is set to [true] * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] Will perform auth * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] Will perform online auth * (2024-05-27 20:07:57): [krb5_child[478251]] [tgt_req_child] (0x1000): [RID#1047] Attempting to get a TGT * (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0400): [RID#1047] Attempting kinit for realm [IPADOMAIN.NET] * (2024-05-27 20:07:57): [krb5_child[478251]] [sss_krb5_responder] (0x4000): [RID#1047] Got question [otp]. * (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0020): [RID#1047] 2350: [-1765328360][Preauthentication failed] ********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-05-27 20:07:57): [krb5_child[478251]] [map_krb5_error] (0x0020): [RID#1047] 2479: [-1765328360][Preauthentication failed] (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_send_data] (0x0200): [RID#1047] Received error code 1432158222
Is this a known issue?
Regards, Siggi
freeipa-users@lists.fedorahosted.org