On Tue, Feb 04, 2014 at 04:11:12AM +0000, Les Stott wrote: > > If I access the host "host1" and remove allow_all from its defined HBAC rules > in the web ui, jane can still access host1 via ssh (actually tested login).
I can see you've found the solution already but I'd like to go back to this part. You say that you have removed allow_all from its defined HBAC ruls in the WebUI. However, when I try this on my FreeIPA server, I don't see allow_all listed for any of my hosts (neither in the Direct nor Indirect Membership listing). Is it possible that you've added that host to allow_all on top of its "Any Host" (aka Host category: all) manually and then removed it? -- Jan Pazdziora | adelton at #ipa*, #brno Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users