On Wed, Feb 03, 2016 at 11:10:50PM +0000, Simpson Lachlan wrote:
> When my users log into the IPA server, the id user over rides work.
> But they don't when we log into a client host?
> What are we doing wrong?
> The overrides are in the "Default Trust View" so should be applied to all 
> hosts.
> We are trying to find *why* and *where* this is failing, but without much 
> success.
> >From what I've read, this should be controlled by the sssd service on the 
> >host, but if we run sssd -I to watch what happens during a failed login or a 
> >login that doesn't successfully get the id user over ride applied, we don't 
> >see any errors or log entries that would indicate why.
> We see this:
> [root@vmts-linux1 ~]# /usr/sbin/sssd -i
> [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported 
> PAM command [249].
> [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not 
> available, offline auth may not work.

This is unrelated.

> But there isn't anything in any logs that would indicate there's a 
> communication happening between the host and the server that we can see.
> We have tried sss_cache -E on the host to clear cache, but we still aren't 
> getting the over rides.

If you changed the client override to a non-default one, then you would
have to restart the client.

Can you enable sssd debugging as per:
and either send it to the list or if there are confidential information,
send it to me directly? (Just note we're attending a conference now, so
answers might lag..)

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to