Hello list!
I'm new to FreeIPA, so probably this is something that has an easy fix but I can't find a way around it.
I have an environment where there are several CentOS 6 and CentOS 7 machines and I'm trying to centralize the user authentication and management, so I installed a cluster of 3 FreeIPA servers for this.
Now, by company policies, it is mandatory to have ssh pubkey authentication and ideally 2FA enabled in all servers (2FA just for sudo in this case), but CentOS 6 is not able to use 2FA because of the old sss/krb versions it provides, so I decided to enable it just in the CentOS 7 servers via auth indicators and they are working fine there!
BUT! When I enroll a CentOS 6 server, I'm facing an issue when the 2FA via OTP Token is enabled in a user account, even if it is not enforced; that is, the "Two factor authentication (password + OTP)" check box is unchecked within the FreeIPA WebAdmin portal in the user account and of course, there is no auth indicators set for the CentOS 6 server.
If I disable the user's OTP Token, or if it is removed from the user account, then I can execute sudo correctly on CentOS 6, but then I can't successfully run any sudo command in any CentOS 7 server (it ask for First/Second factor), and it fails even if I remove the auth indicator on them.
I'm I correct to assume that selectively enabling authentication indicators per host OS version I can implement the solution I want? If so, could anyone tell me what I'm missing here?
With debud_level = 6 on sssd.conf in the CentOS 6 client, this is the relevant output regarding this failure when OTP Token is enabled:
Jul 5 20:09:07.842 sshd[6883]: Accepted publickey for my.user from 172.30.2.147 port 41876 ssh2
Jul 5 20:09:07.850 sshd[6883]: pam_unix(sshd:session): session opened for user my.user by (uid=0)
Jul 5 20:09:12.828 sudo: pam_unix(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:09:12.898 sudo: pam_sss(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:09:12.898 sudo: pam_sss(sudo:auth): received for user my.user: 17 (Failure setting user credentials)
Jul 5 20:11:40.930 sudo: pam_unix(sudo:auth): conversation failed
Jul 5 20:11:40.930 sudo: pam_unix(sudo:auth): auth could not identify password for [my.user]
Jul 5 20:11:40.975 sudo: pam_sss(sudo:auth): authentication failure; logname=my.user uid=645100025 euid=0 tty=/dev/pts/1 ruser=my.user rhost= user=my.user
Jul 5 20:11:40.975 sudo: pam_sss(sudo:auth): received for user my.user: 7 (Authentication failure)
Jul 5 20:11:40.975 sudo: my.user : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/my.user ; USER=root ; COMMAND=list
These are my IPA/sss/krb versions on CentOS 6.10 servers:
sssd: 1.13.3-60.el6_10.2
ipa-client: 3.0.0-51.el6
krb5: 1.10.3-65.el6
And these are the IPA/sss/krb versions on CentOS 7.6 IPA servers:
sssd: 1.16.2-13.el7_6.8
ipa-server: 4.6.4-10.el7_6.3
krb5-server: 1.15.1-37.el7_6
Thank you very much in advance for any help, regards...