> Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobañski:
> > Hi,
> > after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change.
> > We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
> >
> > I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an
intended change or some side-effect of other changes? Or a bug?
> >
> > We are using IPA as Kerberos provider, users do have OTP set up.
> > Up to 2.9.1 sudoing worked either with only password or password+otp.
> > On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
>
> Hi,
>
> this might be related to
https://github.com/SSSD/sssd/issues/7152but
> this should be fixed in 2.9.5. Would it be possible to send full debug
> logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...]
> section of sssd.conf covering a failed login attempt?
Hi,
I attach full debug logs with level 9 from sssd 2.9.5.
Bye,
Grzegorz