On to, 14 syys 2017, Louis Abel via FreeIPA-users wrote:
Jakub, you might be onto something.

Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): 
authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= 
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): 
received for user louis.a...@ad.example.com: 7 (Authentication failure)

Would this mean that I need an HBAC policy allowing specific/all users
system-auth against the IPA servers? Or what would you suggest? It does
seem a little overkill if I did that. Unless there's a better way.
If you are authenticating AD users over the compat tree, you need to
create an HBAC rule that allows all users to access system-auth HBAC
service on the IPA master.

None of existing services (ssh, login, etc) use system-auth directly.
Its the only direct user is the Schema Compatibility plugin that handles
cn=compat tree.

This is documented in Windows Integration Guide, as I give you a link in
the other email.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to