On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
I just realized that I never closed the loop on this problem and just finished upgrading
all my systems to use our new IPA servers. And this problem is still with me.
I can log onto some workstations but not all. My only enabled hbac rule is still
"allow_all", and it's as permissive as it gets.
Is there anything else I can check? I'm trying to get this working before my users
arrive on Monday and carry off my head on a pikestaff…
Are you sure the issue is HBAC, then? Normally I first check either /var/log/secure or
journald, search for pam_sss to see what kind of error sssd returned (if any..) and then
work my way through the sssd logs, the sssd_pam.log/sssd_nss.log first and then the
sssd_domain.log..
Bret
On 02/22/2018 09:30 AM, Bret Wortman wrote:
> Back to this thread; I stood up a new VM and used ipa-client-install to subscribe it
to the new server. I can log on to it from both ssh and console, so the problem on my
original workstation appears to be in switching from one server to another.
>
> Thoughts?
>
>
> On 02/21/2018 10:29 AM, Bret Wortman wrote:
>> My only hbac rule is "allow_all", and it's enabled. I hadn't
gotten around to setting up any additional ones yet.
>>
>>
>> On 02/21/2018 10:14 AM, Rob Crittenden wrote:
>>> Bret Wortman via FreeIPA-users wrote:
>>>> Any ideas why I might be prevented from logging in on a system through
>>>> GDM and the console, but if I log in as root and:
>>>>
>>>> # ssh bretw@localhost
>>>>
>>>> I'm able to log in without issues? And it'll tell me about failed
logins
>>>> for every time I try through GDM or the console.
>>>>
>>>> This is on a brand new IPA server I'm setting up using data from our
>>>> older ones but it's not set up as a replica.
>>> Check HBAC rules. Logging into console is a different pam service than ssh.
>>>
>>> rob
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...