Adding to my own question after doing some further research:

This appears to be a bug in SSSD.
It was fixed via commit on 3/14/2016.

I am wondering why this has yet to be released for centos 7.2 yet? There have been two sssd updates since then, the latest 9 days ago and it does not appear that it was included. I also wonder how something so basic could slip through the cracks? It would appear it has never worked. I understand weird / odd use case bugs, but this is out of the box clean install no modifications - simply turn on 2FA and test sudo.

On 05/21/2016 02:41 PM, Ken Bass wrote:
And the main reason I am posting - sudo 2FA:

To test, I created a new usergroup called 'superusers'. And defined a sudo rule for 'ALL'. When I log in using a 2FA enabled account and type 'sudo -l' I get the
loop of

-sh-4.2$ sudo -l
First Factor:
Sorry, try again.
First Factor:

It will not accept the correct password.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to