> The issue is if the UIDS are < 1000 they are treated as local in sssd.
Ahh, of course, thanks. I never assigned any UIDs < 1000 (or less than
10000 for that matter).
> It could be that sssd cached something and wouldn't let it go, too. If
you can reproduce
> this it is probably worthwhile bump up the log level and add pam debug
logging to see
> what is happening.
That is a great idea and it makes sense given what I was seeing. I will
give it a try. I just wasn't sure which service I should be analyzing.
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, July 23, 2012 3:23 PM
To: Joe Linoff
Cc: steven.jo...@vuw.ac.nz; firstname.lastname@example.org
Subject: Re: [Freeipa-users] User can't login via ssh from external
Joe Linoff wrote:
> Hi Steve:
> Thank you for your suggestions.
> > In the gui you can do a hbac test of the rule.
> I ran the hbactest rule testing from the command line using "ipa
> hbactest ...". It showed that the rules were correct. Do you think
> the GUI might provide a different result?
No, the GUI and CLI share exactly the same backend code.
> > Also what are the UIDS? IPA provided 32bit ones? or your own?
> The UID's were provided by IPA. Actually during testing I also
> provided my own at one point but reverted back when that didn't seem
> to make a difference.
> Can you explain why that might cause the problem? For example, would
> duplicates break the system or are there ranges of UIDs that are not
The issue is if the UIDS are < 1000 they are treated as local in sssd.
> > I'd suggest re-setting that user's password and get them to login
> and reset the password, that
> > works for me, it was a sign of bad/failed replication in my system
> I think (now fixed).
> I tried that using kpasswd and "ipa passwd" to change the password but
> neither solved the problem. In both cases I was able to run "kinit
> new-user" and set the credentials using the new password but new-user
> could not ssh in.
> It was a really strange problem. It looks like something got out of
> sync but I could not (and cannot) figure out where. It is doubly
> difficult because removing and re-adding the user worked. In addition,
> adding other users worked.
It could be that sssd cached something and wouldn't let it go, too. If
you can reproduce this it is probably worthwhile bump up the log level
and add pam debug logging to see what is happening.
Freeipa-users mailing list