I've got my head loosely around it (though not entirely). The difference in behaviour comes down to redhat / rocky harnessing the localusers module to skip unix auth if the user is not local. The auth sss line also had to be changed to sufficient and forward_pass to work with this configuration for reasons i haven't quite grasped yet.
So in Ubuntu / Debian format a working config with minimal changes looks like: auth [default=1 ignore=ignore success=ok] pam_localuser.so auth [success=2 default=ignore] pam_unix.so nullok auth sufficient pam_sss.so forward_pass Rocky also use pam_env, pam_faildelay and pam_usertype, but it appears to be the pam_localuser test which allows them to skip unix auth when appropriate. In terms of reproduction test. Any config using sss can validate by doing the following: Failure condition - auth fails with pam_unix before sss is attempted Mar 30 16:12:22 mogwai su: pam_unix(su:auth): authentication failure; logname=dcharvey uid=** euid=0 tty=/dev/pts/6 ruser=david rhost= user=david Mar 30 16:12:22 mogwai su: pam_sss(su:auth): authentication success; logname=dcharvey uid=** euid=0 tty=/dev/pts/6 ruser=david rhost= user=david Works condition - pam goes straigh to sss because it skips pam_unix (*of course this is also the case when pam unix is just not enabled as pam_sss is the first thing to try) Mar 30 16:13:13 mogwai su: pam_sss(su:auth): authentication success; logname=dcharvey uid=895200011 euid=0 tty=/dev/pts/6 ruser=david rhost= user=david -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146581 Title: Using SSS authentication with TOTP prompts requires disabling Unix authentication To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2146581/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
