On Thu, Sep 29, 2016 at 07:51:14PM -0600, Orion Poplawski wrote: > server: > ipa-server-4.2.0-15.sl7_2.19.x86_64 > sssd-1.13.0-40.el7_2.12.x86_64 > > client: > sssd-1.14.1-3.el7.centos.x86_64 > > AD trust - users are in AD. HBAC rule in place for client to allow a user > to login/ssh/su/etc. > > This seems to have happened a couple times now, and again today after > rebooting the IPA server. sssd was denying the user to ssh into the client > by pam rules. Logged on to the IPA server and disabled and then re-enabled > the HBAC rule for the client and then was able to log back in again. Has > anyone else seen this before? > > client sssd_pam just went from: > > (Thu Sep 29 19:30:40 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result : Permission denied. > > to > > (Thu Sep 29 19:37:04 2016) [sssd[pam]] [pam_reply] (0x0200): pam_reply > called with result : Success. > > so I assume I'll need to collect debug logs from sssd on the server next > time.
Yes..please try to collect logs from a machine that exhibits the bug. I suspect this is not related to HBAC per se, but rather to external group memberships, so it would also be nice to check if the groups are resolved on the faulty machine. And if they wouldn't be, please also check if they are resolved on the server itself (and collect logs there..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project