Hi Stephen,

I nailed the problem now a little bit down. I think it's HBAC with it's empty 
rules in the standard configuration. For me it was hard to recognize that it 
prevents every user added with "ipa user-add" from logging in the server or 
joined machines (via ssh or console). When I do a "ipa-client-install --on-
master --permit" everthing works fine. Without the "--permit" I always get a 
access denied via pam-configuration.

Are there any documentations ready for reading/review for HBAC with freeipa? 
At least it would be nice to have some short docu what is necessary. Could you 
lead me a little bit?

And thanks for your explanation about the sssd and sssd12 branch/repo at 
jdennis. It makes the difference very clear to me and I now use the sssd12 for 
testing (just to calm down a little bit   ;-) . Maybe a little readme.txt with 
your explanation would be quite nice on the server, so other people don't have 
to ask again.

Best regards,

Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
> On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
> > Hi Stephen,
> >
> > thanks for the answer. Yes, I used the ipa-client-install tool. But I had 
> > patched in this fix
> >
> > https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html
> >
> > from Rob to get 'join' working again. Well, living at the bleeding edge.  
> >
> > I'll see if I can nail the problem down.
> You may find the debug logs in /var/log/sssd/. At their default settings 
> (level 0) these logs will display only critical errors. But if you need 
> more information, you can turn up the debug_level in the 
> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will 
> fill up fairly quickly.
> Btw., what's the difference between
> > the sssd and sssd12 repos at jdennis? What is the most recent one, whats 
> > to use with the ipa-devel repo?
> >
> We split the development of 1.2 off into it's own branch. Builds from 
> that branch are put into the sssd12 repo. We're aiming to release 1.2.0 
> at the beginning of May. So that's the branch targeted towards our next 
> public release. We did this so we could put the finishing touches on 
> SSSD 1.2 while those of us who have completed their 1.2 tasks can move 
> ahead.
> The sssd repo contains our more experimental changes (for example, the 
> internal cache interface was completely rewritten). These are the 
> changes that will be forthcoming in sssd 1.3 sometime this summer.
> So your choices are:
> sssd12: Stabilizing towards release
> sssd: Hang on for dear life(*)
> (*) I usually run on this branch - eating my own dogfood, as it were - 
> though we make no guarantees that it won't break.
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Oliver Burtchen, Berlin

Freeipa-users mailing list

Reply via email to