[Freeipa-users] sudo 2FA not working

Sat May 21 18:41:34 UTC 2016

Hello, I installed a brand new IPA server to a clean Centos 7.2 and a 
brand new client to a clean Centos 7.2 install. My main requirement for 
this is using 2FA.

Seeing this was my main reason for trying IPA, so far the results are 
frustrating. I cannot assign 2FA to the 'admin' user on the IPA server 
so I can perform admin.
Another issue is that even when I sucessfully log in with my 'test' 
user. I can run 'klist' and there is a ticket. But if I type 'kinit 
test' (same user I already have a ticket for),
I see 'kinit: Generic preauthentication failure while getting initial 
credentials'

And the main reason I am posting - sudo 2FA:

To test, I created a new usergroup called 'superusers'. And defined a 
sudo rule for 'ALL'. When I log in using a 2FA enabled account and type 
'sudo -l' I get the
loop of

-sh-4.2$ sudo -l
First Factor:
Sorry, try again.
First Factor:

It will not accept the correct password.

If I disable 2FA for this user it works fine. Or if I add a 
'!authenticate' option to the rule it works. Obviously both solutions 
defeat the entire concept of using 2FA.

sudo_debug log log shows:

May 21 13:56:33 sudo[5251] -> expand_prompt @ ./check.c:287
May 21 13:56:33 sudo[5251] <- expand_prompt @ ./check.c:398 := [sudo] 
password for test:
May 21 13:56:33 sudo[5251] -> verify_user @ ./auth/sudo_auth.c:193
May 21 13:56:33 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131
May 21 13:56:33 sudo[5251] -> converse @ ./auth/pam.c:305
May 21 13:56:33 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347
May 21 13:56:33 sudo[5251] -> tgetpass @ ./tgetpass.c:76
May 21 13:56:33 sudo[5251] -> tty_present @ ./tgetpass.c:329
May 21 13:56:33 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true
May 21 13:56:33 sudo[5251] -> term_noecho @ ./term.c:88
May 21 13:56:33 sudo[5251] <- term_noecho @ ./term.c:99 := 1
May 21 13:56:33 sudo[5251] -> getln @ ./tgetpass.c:272
May 21 13:57:20 sudo[5251] <- getln @ ./tgetpass.c:315 := ********
May 21 13:57:20 sudo[5251] -> term_restore @ ./term.c:73
May 21 13:57:20 sudo[5251] <- term_restore @ ./term.c:82 := 1
May 21 13:57:20 sudo[5251] <- tgetpass @ ./tgetpass.c:202 := ********
May 21 13:57:20 sudo[5251] <- auth_getpass @ ./auth/sudo_auth.c:365 := 
********
May 21 13:57:20 sudo[5251] <- converse @ ./auth/pam.c:387 := 19
May 21 13:57:20 sudo[5251] <- sudo_pam_verify @ ./auth/pam.c:177 := 1
May 21 13:57:20 sudo[5251] -> pass_warn @ ./auth/sudo_auth.c:331
May 21 13:57:20 sudo[5251] <- pass_warn @ ./auth/sudo_auth.c:339
May 21 13:57:20 sudo[5251] -> sudo_pam_verify @ ./auth/pam.c:131
May 21 13:57:21 sudo[5251] -> converse @ ./auth/pam.c:305
May 21 13:57:21 sudo[5251] -> auth_getpass @ ./auth/sudo_auth.c:347
May 21 13:57:21 sudo[5251] -> tgetpass @ ./tgetpass.c:76
May 21 13:57:21 sudo[5251] -> tty_present @ ./tgetpass.c:329
May 21 13:57:21 sudo[5251] <- tty_present @ ./tgetpass.c:333 := true
May 21 13:57:21 sudo[5251] -> term_noecho @ ./term.c:88
May 21 13:57:21 sudo[5251] <- term_noecho @ ./term.c:99 := 1
May 21 13:57:21 sudo[5251] -> getln @ ./tgetpass.c:272

The expand_prompt is not the prompt I am seeing for the 2FA case, it is 
the 'First Factor:' prompt similar to a console login.

In the sssd log, I also see before I am prompted for the 'First Factor:'.

(Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010): 
unsupported PAM command [249].
(Sat May 21 14:19:21 2016) [sssd[be[ [krb5_auth_store_creds] (0x0010): 
password not available, offline auth may not work.

Everytime I enter the password for the 'First Factor' prompt, I see an 
entry on the IPA server KDC with 'NEEDED_PREAUTH: test at ...'. I think 
that is normal, but I never see an eventual ticket issue like I do with 
console/ssh login.

Any suggestions/help on getting sudo with 2FA working?
Thanks,
Ken