uninstalling and reinstalling ipa-client cleared the problem., but the root
cause was that the ad domain was a sub domain to the ipa domain.  All fixed
now.

Thanks for the help.

On Mon, Aug 14, 2017 at 3:13 PM, Jakub Hrozek via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On Mon, Aug 14, 2017 at 11:05:23AM -0400, Steve Weeks via FreeIPA-users
> wrote:
> > This is what I get in sssd_pam.log:
> >
> > [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][
> > ad.example.com]
> > [pam_reply] (0x0200): pam_reply called with result [6]: Permission
> denied.
> >
> > I don't think the bug you listed applies.  We have the service set to
> 'any'
> > and hbactest says the user should be able to login.
> >
> > Any idea what to try next or what logs to look at?
>
> I think the sssd domain logs are the next best place to look, becase
> there you'd see the rules sssd evaluates along with their input.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to