Hi,
after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo
configuration, while before it was optional, and we can’t find why did it change.
We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we
are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is
the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find
anything obvious that should change this. Has anyone seen something similar? Do you know
if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up.
Up to 2.9.1 sudoing worked either with only password or password+otp.
On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are
required.
I attach excerpts from logs, they are similar for both 2.9.1 and 2.9.4, with one
difference standing out:
On 2.9.1:
(2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): [RID#729]
Prompter interface isn't used for password prompts by SSSD.
On 2.9.4:
* (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] (0x4000): [RID#38]
Got question [otp].
Although one is in loglines other in backtrace.
Logs:
On 2.9.1:
(2024-06-17 12:07:45): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the
following data
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): domain: realm
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): service: sudo
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): rhost:
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No
authentication token available)
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): priv: 0
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): cli_pid: 3400909
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): logon name: not set
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): flags: 0
[...]
(2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will perform auth
(2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will perform
online auth
(2024-06-17 12:07:45): [krb5_child[3400913]] [get_and_save_tgt] (0x0400): [RID#729]
Attempting kinit for realm [realm]
(2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): [RID#729]
Prompter interface isn't used for password prompts by SSSD.
(2024-06-17 12:07:45): [krb5_child[3400913]] [validate_tgt] (0x0400): [RID#729] TGT
verified using key for [host/hostname@realm].
(2024-06-17 12:07:45): [krb5_child[3400913]] [safe_remove_old_ccache_file] (0x0400):
[RID#729] New and old ccache file are the same, none will be deleted.
(2024-06-17 12:07:45): [krb5_child[3400913]] [k5c_send_data] (0x0200): [RID#729] Received
error code 0
(2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] krb5_child
completed successfully
On 2.9.4:
(2024-06-17 12:12:23): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the
following data
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): command:
SSS_PAM_AUTHENTICATE
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): domain: realm
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): service: sudo
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): rhost:
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 (Password)
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No
authentication token available)
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): priv: 0
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): cli_pid: 1757901
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): logon name: not set
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): flags: 0
[...]
(2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform auth
(2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform online
auth
(2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): [RID#38]
Attempting kinit for realm [realm]
(2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): [RID#38] 2367:
[-1765328360][Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] krb5_child
started.
* (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x1000): [RID#38]
total buffer size: [179]
* (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): [RID#38] cmd
[241 (auth)] uid [123456] gid [1002] validate [true] enterprise principal [false] offline
[false] UPN [gsobanski@realm]
* (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): [RID#38]
ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_123456_3UVHOp]
keytab: [/etc/krb5.keytab]
* (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): [RID#38]
Switch user to [123456][1002].
* (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): [RID#38]
Switch user to [0][0].
* (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_check_old_ccache] (0x4000):
[RID#38] Ccache_file is [FILE:/tmp/krb5cc_123456_3UVHOp] and is active and TGT is
valid.
* (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_setup_fast] (0x0100): [RID#38]
Fast principal is set to [host/hostname@realm]
* (2024-06-17 12:12:23): [krb5_child[1757979]] [find_principal_in_keytab] (0x4000):
[RID#38] Trying to find principal host/hostname@realm in keytab.
* (2024-06-17 12:12:23): [krb5_child[1757979]] [match_principal] (0x1000): [RID#38]
Principal matched to the sample (host/hostname@realm).
* (2024-06-17 12:12:23): [krb5_child[1757979]] [check_fast_ccache] (0x0200): [RID#38]
FAST TGT is still valid.
* (2024-06-17 12:12:23): [krb5_child[1757979]] [become_user] (0x0200): [RID#38] Trying
to become user [123456][1002].
* (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x2000): [RID#38] Running as
[123456][1002].
* (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] (0x0100):
[RID#38] No specific renewable lifetime requested.
* (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] (0x0100):
[RID#38] No specific lifetime requested.
* (2024-06-17 12:12:23): [krb5_child[1757979]] [set_canonicalize_option] (0x0100):
[RID#38] Canonicalization is set to [true]
* (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform
auth
* (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform
online auth
* (2024-06-17 12:12:23): [krb5_child[1757979]] [tgt_req_child] (0x1000): [RID#38]
Attempting to get a TGT
* (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): [RID#38]
Attempting kinit for realm [realm]
* (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] (0x4000): [RID#38]
Got question [otp].
* (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): [RID#38]
2367: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-06-17 12:12:23): [krb5_child[1757979]] [map_krb5_error] (0x0040): [RID#38] 2496:
[-1765328360][Preauthentication failed]
(2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_send_data] (0x0200): [RID#38] Received
error code 1432158222
(2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] krb5_child
completed successfully
Grzegorz Sobański
www.payu.com<http://www.payu.com/>