On Thu, Sep 14, 2017 at 06:28:50PM -0000, Louis Abel via FreeIPA-users wrote:
> Jakub, you might be onto something.
> 
> Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): 
> authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= 
> user=louis.a...@ad.example.com
> Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): 
> received for user louis.a...@ad.example.com: 7 (Authentication failure)
> 
> Would this mean that I need an HBAC policy allowing specific/all users 
> system-auth against the IPA servers? Or what would you suggest? It does seem 
> a little overkill if I did that. Unless there's a better way.

Well, yes and no.

If it was the HBAC access control that was kicking you out, I would have
expected the error code to be different (6 is typically returned for
access denied).

So I would also suggest to increase the sssd debug log on the server and
try the login attempt again, then check out sssd logs.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to