On Mon, Feb 15, 2016 at 10:24:23AM +0530, Rakesh Rajasekharan wrote: > hbac seems to be fine > > > ipa hbactest --user=q-temp --host=x.x.x.x --service=sshd > -------------------- > Access granted: True > -------------------- > Matched rules: allow_all > > > I see this in the sssd.log > > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): > Checking negative cache for [NCE/USER/xyz.com/q-temp] > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): > Requesting info for [q-t...@xyz.com] > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [check_cache] (0x0400): Cached entry > is valid, returning.. > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): > Returning info for user [q-t...@xyz.com] > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [client_recv] (0x0200): Client > disconnected! > (Mon Feb 15 04:49:18 2016) [sssd[nss]] [client_destructor] (0x2000): > Terminated client [0x23d2f80][20] > (Mon Feb 15 04:49:27 2016) [sssd[nss]] [sbus_get_sender_id_send] (0x2000): > Not a sysbus message, quit
What does /var/log/secure say? Also you pasted the NSS log, the domain log would be more useful here. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project