On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > On 19 July 2016 at 16:40, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > I think the thing that frustrates the most is that id u...@domain.com is > > > returning correct data on both but they can't login....and I can't even > > > show that this is the case because now they can login. Difficult to > > > reproduce :/ > > > > Debugging from HBAC should at least tell you why the rules didn't > > match... > > > > > Sorry, I should have been clear - the issue is exactly the same. HBAC > rejected the user because they weren't in the correct groups, but sssd > hadn't got the correct number of groups from the AD server, and had missed > the group in question.
Do you have the logs from the server and the client? If yes, feel free to send them in private mail if they are confidential, I'll try to find something in them. Specifying which groups are missing would help as well. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project