I'm trying to setup an HBAC rule for allowing users from a trust to access linux servers in a FreeIPA domain. My setup:
1. rhelent.lan - FreeIPA 4.5.0-22 2. ent2k12.domain.com - AD on windows 2012r2 3. boz1 - centos7, member of rhelent.lan 4. External group ad_ext_users 5. POSIX group called hbac_access 6.. HBAC group that has the posix group hbac_access as a member 7. IPA user dvader is a member of hbac_access posix group 8. mmos...@ent2k12.domain.com is a member of ad_ext_users external group When I login as dvader, everything works great. When I login as mmos...@ent2k12.domain.com the connection is closed. This is in /var/log/seccure: May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.8.0.2 user=mmos...@ent2k12.domain.com May 19 13:43:11 box1 sshd[1398]: pam_sss(sshd:account): Access denied for user mmos...@ent2k12.domain.com: 6 (Permission denied) May 19 13:43:11 box1 sshd[1395]: error: PAM: User account has expired for mmos...@ent2k12.domain.com from 10.8.0.2 May 19 13:43:12 box1 sshd[1395]: fatal: monitor_read: unpermitted request 104 So authentication is working, authorization is failing. Am I missing something? Thanks Marc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NJV4OM4DAMWEB6OVYHJUGS5ZVCKIX35P/