On to, 14 syys 2017, Louis Abel via FreeIPA-users wrote:
Jakub, you might be onto something.
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth):
authentication failure; logname= uid=389 euid=389 tty= ruser= rhost=
[email protected]
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth):
received for user [email protected]: 7 (Authentication failure)
Would this mean that I need an HBAC policy allowing specific/all users
system-auth against the IPA servers? Or what would you suggest? It does
seem a little overkill if I did that. Unless there's a better way.
If you are authenticating AD users over the compat tree, you need to
create an HBAC rule that allows all users to access system-auth HBAC
service on the IPA master.
None of existing services (ssh, login, etc) use system-auth directly.
Its the only direct user is the Schema Compatibility plugin that handles
cn=compat tree.
This is documented in Windows Integration Guide, as I give you a link in
the other email.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
