In FreeIPA installations that already have some users and hosts in them, the setup might be using host based access control (HBAC) without admins realizing it because by default there is a catchall allow_all rule there. When you then want to start tweaking the setup, the allow_all rule needs to be disabled or it would still allow all accesses. That might break existing users.
Check http://www.freeipa.org/page/Howto/HBAC_and_allow_all about possible solution to that problem. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users