Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
Hi, after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change. We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up. Up to 2.9.1 sudoing worked either with only password or password+otp. On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
Hi,
this might be related to https://github.com/SSSD/sssd/issues/7152 but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt?
Thanks
bye, Sumit
I attach excerpts from logs, they are similar for both 2.9.1 and 2.9.4, with one difference standing out: On 2.9.1: (2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): [RID#729] Prompter interface isn't used for password prompts by SSSD. On 2.9.4:
- (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] (0x4000): [RID#38] Got question [otp].
Although one is in loglines other in backtrace.
Logs: On 2.9.1:
(2024-06-17 12:07:45): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the following data (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): domain: realm (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): service: sudo (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): rhost: (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 (Password) (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): priv: 0 (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): cli_pid: 3400909 (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): logon name: not set (2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): flags: 0 [...] (2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will perform auth (2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will perform online auth (2024-06-17 12:07:45): [krb5_child[3400913]] [get_and_save_tgt] (0x0400): [RID#729] Attempting kinit for realm [realm] (2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): [RID#729] Prompter interface isn't used for password prompts by SSSD. (2024-06-17 12:07:45): [krb5_child[3400913]] [validate_tgt] (0x0400): [RID#729] TGT verified using key for [host/hostname@realm]. (2024-06-17 12:07:45): [krb5_child[3400913]] [safe_remove_old_ccache_file] (0x0400): [RID#729] New and old ccache file are the same, none will be deleted. (2024-06-17 12:07:45): [krb5_child[3400913]] [k5c_send_data] (0x0200): [RID#729] Received error code 0 (2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] krb5_child completed successfully
On 2.9.4:
(2024-06-17 12:12:23): [be[realm]] [dp_pam_handler_send] (0x0100): Got request with the following data (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): domain: realm (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): user: gsobanski@realm (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): service: sudo (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1 (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): rhost: (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 (Password) (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 0 (No authentication token available) (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): priv: 0 (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): cli_pid: 1757901 (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): child_pid: 0 (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): logon name: not set (2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): flags: 0 [...] (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform auth (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform online auth (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): [RID#38] Attempting kinit for realm [realm] (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): [RID#38] 2367: [-1765328360][Preauthentication failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
- (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] krb5_child started.
- (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x1000): [RID#38] total buffer size: [179]
- (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): [RID#38] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise principal [false] offline [false] UPN [gsobanski@realm]
- (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): [RID#38] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_123456_3UVHOp] keytab: [/etc/krb5.keytab]
- (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): [RID#38] Switch user to [123456][1002].
- (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): [RID#38] Switch user to [0][0].
- (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_check_old_ccache] (0x4000): [RID#38] Ccache_file is [FILE:/tmp/krb5cc_123456_3UVHOp] and is active and TGT is valid.
- (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_setup_fast] (0x0100): [RID#38] Fast principal is set to [host/hostname@realm]
- (2024-06-17 12:12:23): [krb5_child[1757979]] [find_principal_in_keytab] (0x4000): [RID#38] Trying to find principal host/hostname@realm in keytab.
- (2024-06-17 12:12:23): [krb5_child[1757979]] [match_principal] (0x1000): [RID#38] Principal matched to the sample (host/hostname@realm).
- (2024-06-17 12:12:23): [krb5_child[1757979]] [check_fast_ccache] (0x0200): [RID#38] FAST TGT is still valid.
- (2024-06-17 12:12:23): [krb5_child[1757979]] [become_user] (0x0200): [RID#38] Trying to become user [123456][1002].
- (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x2000): [RID#38] Running as [123456][1002].
- (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] (0x0100): [RID#38] No specific renewable lifetime requested.
- (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] (0x0100): [RID#38] No specific lifetime requested.
- (2024-06-17 12:12:23): [krb5_child[1757979]] [set_canonicalize_option] (0x0100): [RID#38] Canonicalization is set to [true]
- (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform auth
- (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will perform online auth
- (2024-06-17 12:12:23): [krb5_child[1757979]] [tgt_req_child] (0x1000): [RID#38] Attempting to get a TGT
- (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): [RID#38] Attempting kinit for realm [realm]
- (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] (0x4000): [RID#38] Got question [otp].
- (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): [RID#38] 2367: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2024-06-17 12:12:23): [krb5_child[1757979]] [map_krb5_error] (0x0040): [RID#38] 2496: [-1765328360][Preauthentication failed] (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_send_data] (0x0200): [RID#38] Received error code 1432158222 (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] krb5_child completed successfully
Grzegorz Sobański www.payu.comhttp://www.payu.com/
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Am Tue, Jun 18, 2024 at 10:14:29AM +0000 schrieb Grzegorz Sobański:
Hi, after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our sudo configuration, while before it was optional, and we can’t find why did it change. We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, all other configuration is the same.
I looked through changelogs and skimmed through the list of commits, but I couldn’t find anything obvious that should change this. Has anyone seen something similar? Do you know if it’s a result of an intended change or some side-effect of other changes? Or a bug?
We are using IPA as Kerberos provider, users do have OTP set up. Up to 2.9.1 sudoing worked either with only password or password+otp. On 2.9.4 (and 2.9.5) sudoing is not working with only password, both password+otp are required.
Hi,
this might be related to https://github.com/SSSD/sssd/issues/7152but this should be fixed in 2.9.5. Would it be possible to send full debug logs for sssd-2.9.5 with `debug_level = 9` at least in the [domain/...] section of sssd.conf covering a failed login attempt?
Hi, I attach full debug logs with level 9 from sssd 2.9.5.
Bye, Grzegorz
sssd-users@lists.fedorahosted.org