Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
Hi, after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change. We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up. Up to 2.9.1 sudoing worked either with only password or password+otp. On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
Hi,
this might be related to https://github.com/SSSD/sssd/issues/7152but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt?
Hi, I attach full debug logs with level 9 from sssd 2.9.5.
Bye, Grzegorz