On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote: > Yes that look about right, not able to confirm 100%, but that is > probably the issue.
We're looking into it. However, I should point out that using srchost is a very unreliable means of restricting access. There are numerous problems with it, most notably because we have to rely on what PAM sends us in the srchost field, which is not defined in the spec, so different applications such as 'login' and 'sshd' sometimes put different values in those fields. In SSSD upstream, we're defaulting to ignoring srchost rules because they're 1) unreliable and 2) cause significant performance impact on networks with lots of host entries. Our general recommendation is that if you want to restrict access from specific hosts, it's usually a better idea to do this at the firewall level, rather than the HBAC level.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users