[SSSD-users] 2FA is being enforced after upgrading 2.9.1->2.9.4

[Grzegorz Sobański]

Hi,
after updating Rocky Linux from 9.3 to 9.4 sssd started to enforce 2FA for our 
sudo configuration, while before it was optional, and we can’t find why did it 
change.
We downgraded sssd packages from 2.9.4 to 2.9.1 and 2FA went back to being 
optional, so we are sure it’s because sssd version change from 2.9.1->2.9.4, 
all other configuration is the same.

I looked through changelogs and skimmed through the list of commits, but I 
couldn’t find anything obvious that should change this. Has anyone seen 
something similar? Do you know if it’s a result of an intended change or some 
side-effect of other changes? Or a bug?

We are using IPA as Kerberos provider, users do have OTP set up.
Up to 2.9.1 sudoing worked either with only password or password+otp.
On 2.9.4 (and 2.9.5) sudoing is not working with only password, both 
password+otp are required.

I attach excerpts from logs, they are similar for both 2.9.1 and 2.9.4, with 
one difference standing out:
On 2.9.1:
(2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): 
[RID#729] Prompter interface isn't used for password prompts by SSSD.
On 2.9.4:
  * (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] (0x4000): 
[RID#38] Got question [otp].
Although one is in loglines other in backtrace.

Logs:
On 2.9.1:

(2024-06-17 12:07:45): [be[realm]] [dp_pam_handler_send] (0x0100): Got request 
with the following data
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): command: 
SSS_PAM_AUTHENTICATE
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): domain: realm
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): user: 
gsobanski@realm
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): service: sudo
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): rhost:
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 
(Password)
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 
0 (No authentication token available)
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): priv: 0
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): cli_pid: 3400909
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): logon name: not 
set
(2024-06-17 12:07:45): [be[realm]] [pam_print_data] (0x0100): flags: 0
[...]
(2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will 
perform auth
(2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] Will 
perform online auth
(2024-06-17 12:07:45): [krb5_child[3400913]] [get_and_save_tgt] (0x0400): 
[RID#729] Attempting kinit for realm [realm]
(2024-06-17 12:07:45): [krb5_child[3400913]] [sss_krb5_prompter] (0x0200): 
[RID#729] Prompter interface isn't used for password prompts by SSSD.
(2024-06-17 12:07:45): [krb5_child[3400913]] [validate_tgt] (0x0400): [RID#729] 
TGT verified using key for [host/hostname@realm].
(2024-06-17 12:07:45): [krb5_child[3400913]] [safe_remove_old_ccache_file] 
(0x0400): [RID#729] New and old ccache file are the same, none will be deleted.
(2024-06-17 12:07:45): [krb5_child[3400913]] [k5c_send_data] (0x0200): 
[RID#729] Received error code 0
(2024-06-17 12:07:45): [krb5_child[3400913]] [main] (0x0400): [RID#729] 
krb5_child completed successfully

On 2.9.4:

(2024-06-17 12:12:23): [be[realm]] [dp_pam_handler_send] (0x0100): Got request 
with the following data
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): command: 
SSS_PAM_AUTHENTICATE
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): domain: realm
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): user: 
gsobanski@realm
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): service: sudo
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): tty: /dev/pts/1
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): ruser: gsobanski
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): rhost:
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): authtok type: 1 
(Password)
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): newauthtok type: 
0 (No authentication token available)
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): priv: 0
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): cli_pid: 1757901
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): child_pid: 0
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): logon name: not 
set
(2024-06-17 12:12:23): [be[realm]] [pam_print_data] (0x0100): flags: 0
[...]
(2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will 
perform auth
(2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] Will 
perform online auth
(2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): 
[RID#38] Attempting kinit for realm [realm]
(2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): 
[RID#38] 2367: [-1765328360][Preauthentication failed]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING 
BACKTRACE:
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] 
krb5_child started.
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x1000): 
[RID#38] total buffer size: [179]
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): 
[RID#38] cmd [241 (auth)] uid [123456] gid [1002] validate [true] enterprise 
principal [false] offline [false] UPN [gsobanski@realm]
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [unpack_buffer] (0x0100): 
[RID#38] ccname: [FILE:/tmp/krb5cc_123456_XXXXXX] old_ccname: 
[FILE:/tmp/krb5cc_123456_3UVHOp] keytab: [/etc/krb5.keytab]
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): 
[RID#38] Switch user to [123456][1002].
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [switch_creds] (0x0200): 
[RID#38] Switch user to [0][0].
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_check_old_ccache] 
(0x4000): [RID#38] Ccache_file is [FILE:/tmp/krb5cc_123456_3UVHOp] and is  
active and TGT is  valid.
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_setup_fast] (0x0100): 
[RID#38] Fast principal is set to [host/hostname@realm]
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [find_principal_in_keytab] 
(0x4000): [RID#38] Trying to find principal host/hostname@realm in keytab.
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [match_principal] (0x1000): 
[RID#38] Principal matched to the sample (host/hostname@realm).
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [check_fast_ccache] 
(0x0200): [RID#38] FAST TGT is still valid.
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [become_user] (0x0200): 
[RID#38] Trying to become user [123456][1002].
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x2000): [RID#38] 
Running as [123456][1002].
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] 
(0x0100): [RID#38] No specific renewable lifetime requested.
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [set_lifetime_options] 
(0x0100): [RID#38] No specific lifetime requested.
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [set_canonicalize_option] 
(0x0100): [RID#38] Canonicalization is set to [true]
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] 
Will perform auth
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] 
Will perform online auth
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [tgt_req_child] (0x1000): 
[RID#38] Attempting to get a TGT
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0400): 
[RID#38] Attempting kinit for realm [realm]
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [sss_krb5_responder] 
(0x4000): [RID#38] Got question [otp].
   *  (2024-06-17 12:12:23): [krb5_child[1757979]] [get_and_save_tgt] (0x0020): 
[RID#38] 2367: [-1765328360][Preauthentication failed]
********************** BACKTRACE DUMP ENDS HERE 
*********************************

(2024-06-17 12:12:23): [krb5_child[1757979]] [map_krb5_error] (0x0040): 
[RID#38] 2496: [-1765328360][Preauthentication failed]
(2024-06-17 12:12:23): [krb5_child[1757979]] [k5c_send_data] (0x0200): [RID#38] 
Received error code 1432158222
(2024-06-17 12:12:23): [krb5_child[1757979]] [main] (0x0400): [RID#38] 
krb5_child completed successfully

Grzegorz Sobański
www.payu.com<http://www.payu.com/>


--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue