> In standard FreeIPA setup we have 'allow_all' HBAC rule which roughly > states "anyone can access any service on any host". Did you disable this > rule? > > If yes, then you have to have an explicit rules allowing access to specific > services.
Thanks! Yes, that was it exactly. I did disable the "allow all" rule on installation, but hadn't set up a specific rule allowing the appropriate group SSH access. I've added the rule, and everything is working as it should now. I'm a very happy sysadmin at the moment. :-) David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project