> For troubleshooting this you need to enable debug_level=10 in sssd.conf in
> domain and pam sections. Restart sssd and try to login.
OK, this has pinpointed the problem. The log file now shows:
(Wed Mar 11 11:31:01 2015) [sssd[be[middlebury.edu]]] [sdap_save_user]
(0x1000): Mapping user [guert
On Tue, 10 Mar 2015, Guertin, David S. wrote:
You should be able to 'see' them via getent passwd but they should not be
allowed to login when HBAC_ALLOW_ALL is disabled.
Ah, OK, thanks, that's what is happening. I can see them with getent
passwd and id, and I can su to them, but I can't log in
> You should be able to 'see' them via getent passwd but they should not be
> allowed to login when HBAC_ALLOW_ALL is disabled.
Ah, OK, thanks, that's what is happening. I can see them with getent passwd and
id, and I can su to them, but I can't log in as them.
On the other hand, I also can't lo
On Tue, Mar 10, 2015 at 11:14:21AM +, Guertin, David S. wrote:
> > > Seems the initial/default setup for IPA server is to put in an 'allow_all'
> > rule. Thus you can actively manage HBAC but out of the box, it is
> > essentially
> > turned off by that rule.
> >
> > Yes. The default was the o
On Tue, 10 Mar 2015, Guertin, David S. wrote:
> Seems the initial/default setup for IPA server is to put in an 'allow_all'
rule. Thus you can actively manage HBAC but out of the box, it is essentially
turned off by that rule.
Yes. The default was the opposite very long time ago, you had to expli
On 10.3.2015 12:14, Guertin, David S. wrote:
>>> Seems the initial/default setup for IPA server is to put in an 'allow_all'
>> rule. Thus you can actively manage HBAC but out of the box, it is essentially
>> turned off by that rule.
>>
>> Yes. The default was the opposite very long time ago, you ha
> > Seems the initial/default setup for IPA server is to put in an 'allow_all'
> rule. Thus you can actively manage HBAC but out of the box, it is essentially
> turned off by that rule.
>
> Yes. The default was the opposite very long time ago, you had to explicitly
> enable access to the box. But
>>I have already:
>>- created an IPA group called ad_users.
>>- created an IPA group called ad_users_external.
> Did you create this group with --external?
Doh! Nope, somehow I missed that. I've done that and that part is working now.
But the other part of the question remains, i.e. I'm still se
On Fri, Mar 06, 2015 at 08:24:28PM +, Craig White wrote:
> Seems the initial/default setup for IPA server is to put in an 'allow_all'
> rule. Thus you can actively manage HBAC but out of the box, it is essentially
> turned off by that rule.
Yes. The default was the opposite very long time ag
On 03/06/2015 03:24 PM, Craig White wrote:
*From:*freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Guertin, David S.
*Sent:* Friday, March 06, 2015 1:04 PM
*To:* freeipa-users@redhat.com
*Subject:* [Freeipa-users] Can't add AD user group to IPA group
I
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Guertin, David S.
Sent: Friday, March 06, 2015 1:04 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Can't add AD user group to IPA group
I'm on my second attempt trying to set up an IPA server
11 matches
Mail list logo
