On Tue, Jun 18, 2019 at 05:17:31PM +0100, lejeczek via FreeIPA-users wrote:
hi guys
I think it was asked on the list before but I still cannot find the thread.
Should AD's users be able to login to IPA's clients(non-replica) in a
pretty vanilla setup? Those users can login to IPA masters okey.
I have not created any HBACs yet, nor added new hostgroups etc.
When I ssh to IPA's client that client denies that user & shows:
pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)
Hi,
'Permission denied' is typically returned during the PAM access control
step 'pam_sss(sshd:account)'. For auth there should be only a few cases
like an expired unser in AD, but in this case login to the IPA masters
shouldn't work as well.
Please add 'debug_level=9' at least to the [pam] and [domain/...]
section of sssd.conf on the client, restart SSSD, try to authentication
and send the logs from /var/log/sssd.
bye,
Sumit
...
many thanks, L.
pub rsa2048 2019-01-17 [SC] [verfällt: 2020-01-17]
93059F241EEEE1D0769A85F455918ABF21224EBA
uid lejeczek <peljasz(a)yahoo.co.uk>
sub rsa2048 2019-01-17 [E] [verfällt: 2020-01-17]
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...