> Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:

> > Hi,

> > after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change.

> > We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.

> >

> > I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?

> >

> > We are using IPA as Kerberos provider, users do have OTP set up.

> > Up to 2.9.1 sudoing worked either with only password or password+otp.

> > On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.

>

> Hi,

>

> this might be related to https://github.com/SSSD/sssd/issues/7152but

> this should be fixed in 2.9.5. Would it be possible to send full debug

> logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...]

> section of sssd.conf covering a failed login attempt?

 

Hi,

I attach full debug logs with level 9 from sssd 2.9.5.

 

Bye,

Grzegorz