I ran that and the sshd service shows access granted True even though ssh-ing in doesn't work.  Does the user have to have both login and sshd to login via ssh?  Other users that have the same permissions are able to get in OK which is why this is so confusing.

On Tue, Mar 17, 2020 at 1:04 AM Angus Clarke <post@angusclarke.com> wrote:
Hello

I suggest running the hbactest function, somrthing like:

ipa hbactest --user=user1 --host=fqdn.of.target.server --service=login

Regards
Angus

From: Kristian Petersen via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Sent: 16 March 2020 21:57
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Kristian Petersen <nesretep@chem.byu.edu>
Subject: [Freeipa-users] Some users unable to log in to host
 
Hey all,

I have a user that is trying to log into a host that is configured to have access restricted via an HBAC rule.  This user is a member of one of the groups defined in the HBAC rule that should be granted access.  When this user tries to SSH in to this host, they get 3 consecutive password prompts like "Password:" and then one like "username@domain's password:" and then they get a response of "Permission denied, please try again."  I am not seeing any entries in the messages log or secure log for this user from these log in attempts.  Anyone have any thoughts about why this is happening?
--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry


--
Kristian Petersen
System Administrator
BYU Dept. of Chemistry and Biochemistry