Learn more about these different git repos.
Other Git URLs
It would be helpful to diagnose second factor problems if we could check the user has tried entering it (or, say, using a client that does not support OTP). Something along the lines of:
m[0].msg_style = PAM_PROMPT_ECHO_OFF; m[0].msg = prompt_fa1; m[1].msg_style = PAM_PROMPT_ECHO_OFF; m[1].msg = prompt_fa2; if (m[1].msg == NULL || strlen(m[1].msg) == 0) { D(("otp is empty or NULL")); }
Hi,
I can already see if only one or two factors were entered in the logs in the pam_print_data blocks:
(Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: ad.devel (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): user: tu1 (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): service: su-l (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: pts/1 (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: sbose (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 0 (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 4756 (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: tu1@ad.devel (Tue Jun 11 15:07:12 2019) [sssd[pam]] [pam_print_data] (0x0100): flags: 2
where authtok type: 1 means single password and 3 means 2FA. Does this already help? If yes, I would use this ticket to not only print a number but a description as well.
authtok type: 1
3
bye, Sumit
Yep this is helpful. What does "authtok type: 0" mean? We have quite a few of these.
Cheers, Yuriy
as you might have guessed 0 means that there are no credentials in the current PAM data. Credentials are only used for authentication, so they are available only during SSS_PAM_AUTHENTICATE. All other steps like access control, pre-auth, open and close session do not need them an have authtok type: 0.
0
SSS_PAM_AUTHENTICATE
authtok type: 0
HTH
Metadata Update from @pbrezina: - Issue tagged with: Canditate to close
Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfill this request I am closing the issue as wontfix.
If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.
Thank you for understanding.
Metadata Update from @pbrezina: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4994
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.