Am Fri, Jun 21, 2024 at 11:47:54AM +0000 schrieb Grzegorz Sobański:
Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
Hi, after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change. We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up. Up to 2.9.1 sudoing worked either with only password or password+otp. On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
Hi,
this might be related to https://github.com/SSSD/sssd/issues/7152but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt?
Hi, I attach full debug logs with level 9 from sssd 2.9.5.
Hi,
thanks for the logs, please find a test build which should fix the issue at https://sbose.fedorapeople.org/otp_password/sssd-2.9.4-6.el9_4.1sb1.tar.gz. Please let me know if it works for you or not.
If you don't mind it would be nice if you can open a ticket for this issue at https://github.com/SSSD/sssd/issues/new.
Thanks.
bye, Sumit
Bye, Grzegorz
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi, Thanks for working on this. Could you please share a source diff for this change? We can’t use this private build - we will need to build it ourselves.
Regards,
Grzegorz www.payu.comhttp://www.payu.com/
From: Sumit Bose sbose@redhat.com Date: Friday, 21 June 2024 at 16:18 To: End-user discussions about the System Security Services Daemon sssd-users@lists.fedorahosted.org Subject: External : [SSSD-users] Re: 2FA is being enforced after upgrading 2.9.1->2.9.4 Attention: This email originated outside trusted domains.
Am Fri, Jun 21, 2024 at 11:47:54AM +0000 schrieb Grzegorz Sobański:
Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
Hi, after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change. We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up. Up to 2.9.1 sudoing worked either with only password or password+otp. On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
Hi,
this might be related to https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...https://github.com/SSSD/sssd/issues/7152but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt?
Hi, I attach full debug logs with level 9 from sssd 2.9.5.
Hi,
thanks for the logs, please find a test build which should fix the issue at https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsbose.fedo...https://sbose.fedorapeople.org/otp_password/sssd-2.9.4-6.el9_4.1sb1.tar.gz. Please let me know if it works for you or not.
If you don't mind it would be nice if you can open a ticket for this issue at https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...https://github.com/SSSD/sssd/issues/new.
Thanks.
bye, Sumit
Bye, Grzegorz
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor...https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj...https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%...https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor...https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj...https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%...https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org