[Freeipa-users] Re: idm user access write issue
Kannappan M via FreeIPA-users wrote:
Hi All,
i have granted a bunch of users to a list of servers but except one server
all the user are able to touch the files once they login to 3out of 4 servers ,
in one server alone am able to switch to user but not able to touch any files
getting message as permission denied
To restate:
- you created an HBAC rule that allows a set of users to log into a set
of 4 hosts and that works ok
- on one of the 4 hosts one user is not allowed to create files
We can eliminate HBAC as a problem since it allowed login access. It
doesn't control who can write files on a host.
It sounds like a groups problem. I'd suggest looking at what
files/directories are not writable and see what the permissions are. I
wonder if one user is not in the group which owns the directory.
You can use getent groups <user> to see what groups they are in. It
should be the same on all hosts and it should match what ipa user-show
<user> shows for group memberships.
That's where I'd start anyway. Next step would be to increase debugging
on the SSSD side to see whether all the groups that the user should be
in are being resolved properly.
rob