Hi,

I pulled the unofficial 1.15.1 el6 sssd and installed it today on a host where RSA securid is used ( RSA + openldap) . I am trying to log in to the server and I am getting ( please note pam_unix fails but that's fine as we use ldap ) :

Mar  9 09:17:38 barni sshd[7597]: error: PAM: Authentication failure for abcd from X.Y.86.223
Mar  9 09:17:38 barni sshd[7597]: Connection closed by X.Y.86.223 port 40924 [preauth]
Mar  9 09:18:04 barni sshd[8012]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd
Mar  9 09:18:04 barni sshd[8012]: pam_sss(sshd:auth): received for user abcd: 7 (Authentication failure)
Mar  9 09:18:04 barni sshd[8012]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223  user=abcd


I have reverted to 1.14.2 and it magically works :) Is there any functionality changed from 1.15.1 to 1.14.2 before I start enabling debugging and go through the logs ? The only service needing 2FA is sshd so I use a separate system-auth-ac file. With 1.15.1 I get propted for 2FA each time so it does not go to LDAP password:

1.14.2:
[gvasiliu@localhost Downloads]$ ssh -q barni
Enter SecureKey:
Password:

1.15.1:
[gvasiliu@localhost Downloads]$ ssh -q barni
Enter SecureKey:
Enter SecureKey:

https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0
https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html#

Could this be related to https://pagure.io/SSSD/sssd/issue/2984 ?

root@barni[/etc/pam.d]# cat sshd
#%PAM-1.0
auth       required     pam_securid.so reserve
auth       include      system-auth-ac_new
account    required     pam_nologin.so
account    include      system-auth-ac_new
password   include      system-auth-ac_new
session    optional     pam_keyinit.so force revoke
session    include      system-auth-ac_new
session    required     pam_loginuid.so

root@barni[/etc/pam.d]# cat system-auth-ac_new
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    pam_sss.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     [default=bad success=ok user_unknown=ignore] pam_sss.so
#account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so


password    sufficient    pam_sss.so use_authtok
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_sss.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Thank you