On Tue, 10 Mar 2015, Guertin, David S. wrote:
You should be able to 'see' them via getent passwd but they should not be
allowed to login when HBAC_ALLOW_ALL is disabled.

Ah, OK, thanks, that's what is happening. I can see them with getent
passwd and id, and I can su to them, but I can't log in as them.
Seeing identity is as designed. 'su' from root is ignoring any of HBAC
rules because your PAM stack for 'su' includes a rule that allows
exactly that (root can impersonate anyone).

On the other hand, I also can't log in as a user that SHOULD have
permission (as a member of the appropriate AD group), but I'm still
troubleshooting that one.
For troubleshooting this you need to enable debug_level=10 in sssd.conf
in domain and pam sections. Restart sssd and try to login.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to