Hi Stephen, I nailed the problem now a little bit down. I think it's HBAC with it's empty rules in the standard configuration. For me it was hard to recognize that it prevents every user added with "ipa user-add" from logging in the server or joined machines (via ssh or console). When I do a "ipa-client-install --on- master --permit" everthing works fine. Without the "--permit" I always get a access denied via pam-configuration.
Are there any documentations ready for reading/review for HBAC with freeipa? At least it would be nice to have some short docu what is necessary. Could you lead me a little bit? And thanks for your explanation about the sssd and sssd12 branch/repo at jdennis. It makes the difference very clear to me and I now use the sssd12 for testing (just to calm down a little bit ;-) . Maybe a little readme.txt with your explanation would be quite nice on the server, so other people don't have to ask again. Best regards, Oli Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher: > On 04/21/2010 02:53 PM, Oliver Burtchen wrote: > > Hi Stephen, > > > > thanks for the answer. Yes, I used the ipa-client-install tool. But I had first > > patched in this fix > > > > https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html > > > > from Rob to get 'join' working again. Well, living at the bleeding edge. ;-) > > > > I'll see if I can nail the problem down. > > You may find the debug logs in /var/log/sssd/. At their default settings > (level 0) these logs will display only critical errors. But if you need > more information, you can turn up the debug_level in the > /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will > fill up fairly quickly. > > Btw., what's the difference between > > the sssd and sssd12 repos at jdennis? What is the most recent one, whats best > > to use with the ipa-devel repo? > > > > We split the development of 1.2 off into it's own branch. Builds from > that branch are put into the sssd12 repo. We're aiming to release 1.2.0 > at the beginning of May. So that's the branch targeted towards our next > public release. We did this so we could put the finishing touches on > SSSD 1.2 while those of us who have completed their 1.2 tasks can move > ahead. > > The sssd repo contains our more experimental changes (for example, the > internal cache interface was completely rewritten). These are the > changes that will be forthcoming in sssd 1.3 sometime this summer. > > So your choices are: > sssd12: Stabilizing towards release > sssd: Hang on for dear life(*) > > > > (*) I usually run on this branch - eating my own dogfood, as it were - > though we make no guarantees that it won't break. > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Oliver Burtchen, Berlin _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users