Hi,
All 2FA enabled users are now required to use 2FA after our EL9 clients we’re updated to
EL 9.4.
Downgrading sssd from sssd-2.9.4-6.el9_4.x86_64 to sssd-2.9.4-2.el9.x86_64 fixes the
issue, so the error happened between there two releases somehow.
No "Authentication indicators” has been configured for the hosts in question. It is
reproducable across all our EL9 machines.
In the krb5_child.log the following backtrace is logged when a 2FA enabled user tries to
use sudo. This backtrace does not happen on EL9 client where sssd has been downgraded.
==> krb5_child.log <==
(2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] cmd [241
(auth)] uid [693200437] gid [693200437] validate [true] enterprise principal [true]
offline [false] UPN [ipausername(a)IPADOMAIN.NET]
(2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] ccname:
[KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
(2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch
user to [693200437][693200437].
(2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch
user to [0][0].
(2024-05-27 20:07:57): [krb5_child[478251]] [k5c_setup_fast] (0x0100): [RID#1047] Fast
principal is set to [host/host.domain.net(a)IPADOMAIN.NET]
(2024-05-27 20:07:57): [krb5_child[478251]] [check_fast_ccache] (0x0200): [RID#1047] FAST
TGT is still valid.
(2024-05-27 20:07:57): [krb5_child[478251]] [become_user] (0x0200): [RID#1047] Trying to
become user [693200437][693200437].
(2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No
specific renewable lifetime requested.
(2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No
specific lifetime requested.
(2024-05-27 20:07:57): [krb5_child[478251]] [set_canonicalize_option] (0x0100): [RID#1047]
Canonicalization is set to [true]
(2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0020): [RID#1047] 2350:
[-1765328360][Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] krb5_child
started.
* (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x1000): [RID#1047]
total buffer size: [115]
* (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] cmd
[241 (auth)] uid [693200437] gid [693200437] validate [true] enterprise principal [true]
offline [false] UPN [ipausername(a)IPADOMAIN.NET]
* (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047]
ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047]
Switch user to [693200437][693200437].
* (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047]
Switch user to [0][0].
* (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_check_old_ccache] (0x4000):
[RID#1047] Ccache_file is [KCM:] and is active and TGT is valid.
* (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_setup_fast] (0x0100): [RID#1047]
Fast principal is set to [host/host.domain.net(a)IPADOMAIN.NET]
* (2024-05-27 20:07:57): [krb5_child[478251]] [find_principal_in_keytab] (0x4000):
[RID#1047] Trying to find principal host/host.domain.net(a)IPADOMAIN.NET in keytab.
* (2024-05-27 20:07:57): [krb5_child[478251]] [match_principal] (0x1000): [RID#1047]
Principal matched to the sample (host/host.domain.net(a)IPADOMAIN.NET).
* (2024-05-27 20:07:57): [krb5_child[478251]] [check_fast_ccache] (0x0200): [RID#1047]
FAST TGT is still valid.
* (2024-05-27 20:07:57): [krb5_child[478251]] [become_user] (0x0200): [RID#1047] Trying
to become user [693200437][693200437].
* (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x2000): [RID#1047] Running as
[693200437][693200437].
* (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100):
[RID#1047] No specific renewable lifetime requested.
* (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100):
[RID#1047] No specific lifetime requested.
* (2024-05-27 20:07:57): [krb5_child[478251]] [set_canonicalize_option] (0x0100):
[RID#1047] Canonicalization is set to [true]
* (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] Will perform
auth
* (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] Will perform
online auth
* (2024-05-27 20:07:57): [krb5_child[478251]] [tgt_req_child] (0x1000): [RID#1047]
Attempting to get a TGT
* (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0400): [RID#1047]
Attempting kinit for realm [
IPADOMAIN.NET]
* (2024-05-27 20:07:57): [krb5_child[478251]] [sss_krb5_responder] (0x4000): [RID#1047]
Got question [otp].
* (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0020): [RID#1047]
2350: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-05-27 20:07:57): [krb5_child[478251]] [map_krb5_error] (0x0020): [RID#1047] 2479:
[-1765328360][Preauthentication failed]
(2024-05-27 20:07:57): [krb5_child[478251]] [k5c_send_data] (0x0200): [RID#1047] Received
error code 1432158222
Is this a known issue?
Regards,
Siggi