On Wed, Feb 03, 2016 at 11:10:50PM +0000, Simpson Lachlan wrote:
> When my users log into the IPA server, the id user over rides work.
> But they don't when we log into a client host?
> What are we doing wrong?
> The overrides are in the "Default Trust View" so should be applied to all
> We are trying to find *why* and *where* this is failing, but without much
> >From what I've read, this should be controlled by the sssd service on the
> >host, but if we run sssd -I to watch what happens during a failed login or a
> >login that doesn't successfully get the id user over ride applied, we don't
> >see any errors or log entries that would indicate why.
> We see this:
> [root@vmts-linux1 ~]# /usr/sbin/sssd -i
> [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported
> PAM command .
> [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not
> available, offline auth may not work.
This is unrelated.
> But there isn't anything in any logs that would indicate there's a
> communication happening between the host and the server that we can see.
> We have tried sss_cache -E on the host to clear cache, but we still aren't
> getting the over rides.
If you changed the client override to a non-default one, then you would
have to restart the client.
Can you enable sssd debugging as per:
and either send it to the list or if there are confidential information,
send it to me directly? (Just note we're attending a conference now, so
answers might lag..)
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project