Adding to my own question after doing some further research:
This appears to be a bug in SSSD.
It was fixed via commit
I am wondering why this has yet to be released for centos 7.2 yet? There
have been two sssd updates since then, the latest 9 days ago and it does
not appear that it was included. I also wonder how something so basic
could slip through the cracks? It would appear it has never worked. I
understand weird / odd use case bugs, but this is out of the box clean
install no modifications - simply turn on 2FA and test sudo.
On 05/21/2016 02:41 PM, Ken Bass wrote:
And the main reason I am posting - sudo 2FA:
To test, I created a new usergroup called 'superusers'. And defined a
sudo rule for 'ALL'. When I log in using a 2FA enabled account and
type 'sudo -l' I get the
-sh-4.2$ sudo -l
Sorry, try again.
It will not accept the correct password.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project