On Tue, 10 Mar 2015, Guertin, David S. wrote:
You should be able to 'see' them via getent passwd but they should not be
allowed to login when HBAC_ALLOW_ALL is disabled.
Ah, OK, thanks, that's what is happening. I can see them with getent
passwd and id, and I can su to them, but I can't log in as them.
Seeing identity is as designed. 'su' from root is ignoring any of HBAC
rules because your PAM stack for 'su' includes a rule that allows
exactly that (root can impersonate anyone).
On the other hand, I also can't log in as a user that SHOULD have
permission (as a member of the appropriate AD group), but I'm still
troubleshooting that one.
For troubleshooting this you need to enable debug_level=10 in sssd.conf
in domain and pam sections. Restart sssd and try to login.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project