Hi, All 2FA enabled users are now required to use 2FA after our EL9 clients we’re updated to EL 9.4.
Downgrading sssd from sssd-2.9.4-6.el9_4.x86_64 to sssd-2.9.4-2.el9.x86_64 fixes the issue, so the error happened between there two releases somehow. No "Authentication indicators” has been configured for the hosts in question. It is reproducable across all our EL9 machines. In the krb5_child.log the following backtrace is logged when a 2FA enabled user tries to use sudo. This backtrace does not happen on EL9 client where sssd has been downgraded. ==> krb5_child.log <== (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] cmd [241 (auth)] uid [693200437] gid [693200437] validate [true] enterprise principal [true] offline [false] UPN [[email protected]] (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [693200437][693200437]. (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [0][0]. (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_setup_fast] (0x0100): [RID#1047] Fast principal is set to [host/[email protected]] (2024-05-27 20:07:57): [krb5_child[478251]] [check_fast_ccache] (0x0200): [RID#1047] FAST TGT is still valid. (2024-05-27 20:07:57): [krb5_child[478251]] [become_user] (0x0200): [RID#1047] Trying to become user [693200437][693200437]. (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific renewable lifetime requested. (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific lifetime requested. (2024-05-27 20:07:57): [krb5_child[478251]] [set_canonicalize_option] (0x0100): [RID#1047] Canonicalization is set to [true] (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0020): [RID#1047] 2350: [-1765328360][Preauthentication failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] krb5_child started. * (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x1000): [RID#1047] total buffer size: [115] * (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] cmd [241 (auth)] uid [693200437] gid [693200437] validate [true] enterprise principal [true] offline [false] UPN [[email protected]] * (2024-05-27 20:07:57): [krb5_child[478251]] [unpack_buffer] (0x0100): [RID#1047] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] * (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [693200437][693200437]. * (2024-05-27 20:07:57): [krb5_child[478251]] [switch_creds] (0x0200): [RID#1047] Switch user to [0][0]. * (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_check_old_ccache] (0x4000): [RID#1047] Ccache_file is [KCM:] and is active and TGT is valid. * (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_setup_fast] (0x0100): [RID#1047] Fast principal is set to [host/[email protected]] * (2024-05-27 20:07:57): [krb5_child[478251]] [find_principal_in_keytab] (0x4000): [RID#1047] Trying to find principal host/[email protected] in keytab. * (2024-05-27 20:07:57): [krb5_child[478251]] [match_principal] (0x1000): [RID#1047] Principal matched to the sample (host/[email protected]). * (2024-05-27 20:07:57): [krb5_child[478251]] [check_fast_ccache] (0x0200): [RID#1047] FAST TGT is still valid. * (2024-05-27 20:07:57): [krb5_child[478251]] [become_user] (0x0200): [RID#1047] Trying to become user [693200437][693200437]. * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x2000): [RID#1047] Running as [693200437][693200437]. * (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific renewable lifetime requested. * (2024-05-27 20:07:57): [krb5_child[478251]] [set_lifetime_options] (0x0100): [RID#1047] No specific lifetime requested. * (2024-05-27 20:07:57): [krb5_child[478251]] [set_canonicalize_option] (0x0100): [RID#1047] Canonicalization is set to [true] * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] Will perform auth * (2024-05-27 20:07:57): [krb5_child[478251]] [main] (0x0400): [RID#1047] Will perform online auth * (2024-05-27 20:07:57): [krb5_child[478251]] [tgt_req_child] (0x1000): [RID#1047] Attempting to get a TGT * (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0400): [RID#1047] Attempting kinit for realm [IPADOMAIN.NET] * (2024-05-27 20:07:57): [krb5_child[478251]] [sss_krb5_responder] (0x4000): [RID#1047] Got question [otp]. * (2024-05-27 20:07:57): [krb5_child[478251]] [get_and_save_tgt] (0x0020): [RID#1047] 2350: [-1765328360][Preauthentication failed] ********************** BACKTRACE DUMP ENDS HERE ********************************* (2024-05-27 20:07:57): [krb5_child[478251]] [map_krb5_error] (0x0020): [RID#1047] 2479: [-1765328360][Preauthentication failed] (2024-05-27 20:07:57): [krb5_child[478251]] [k5c_send_data] (0x0200): [RID#1047] Received error code 1432158222 Is this a known issue? Regards, Siggi -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
