On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote: > Sorry for the delay, was doing some troubleshooting. > > Here is what I know now: > > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu > 14.04). > > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6.8) both work. > > Users in the admin group can't log into these hosts. > > I created a newadmins group and assigned a new user to it. When I add the > "User Administrator" role the new user can't log into the hosts with older > sssd. > > As soon as I delete the "User Administrator" role, new user has access > again.
So is it a role membership or a group membership that makes the difference? > > I've pasted the last bit of logs from a sssd_domain log below. I'd be happy > to forward the entire log, or additional logs if they will be helpful. The log only captures a user lookup, not a login, sorry.. (This might be expected if you log in e.g. with an SSH key, in which case journald should be the first thing to look at at least to poinpoint which piece denied access..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project