Todd Maugh wrote:
HBAC rules are set to allow_all enabled


Ok. I'd start with increasing the sssd log level and see what it says.

I gather that basic nss works since you can kinit as other users.

You may want to check for SELinux AVCs as well.

rob


-----Original Message-----
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, March 31, 2014 3:44 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

Todd Maugh wrote:
Hi,

I have a rhel5 client  I had problems with my IPA environment and had
to rebuild

I'm on the latest version of IPA with a red hat 6 server

I successfully enrolled the client to the new server (same domain,
same
realm) I had removed all old certs, sysrestores, and ipa/default.conf

I can ssh to the box as root, and then either su or kinit to any IPA
user with out issue

But when I try to ssh as the ipauser to the box it gives me permission
denied, please try again

I cleared out the sssd cache and restarted sssd

Is there something I'm missing or a log to check?

I need to worked this out before I move forward enrolling other
previously enrolled clients.

Check your HBAC rules.

rob


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to