On Wed, Feb 03, 2016 at 11:10:50PM +0000, Simpson Lachlan wrote: > When my users log into the IPA server, the id user over rides work. > > But they don't when we log into a client host? > > What are we doing wrong? > > The overrides are in the "Default Trust View" so should be applied to all > hosts. > > We are trying to find *why* and *where* this is failing, but without much > success. > > >From what I've read, this should be controlled by the sssd service on the > >host, but if we run sssd -I to watch what happens during a failed login or a > >login that doesn't successfully get the id user over ride applied, we don't > >see any errors or log entries that would indicate why. > > We see this: > > [root@vmts-linux1 ~]# /usr/sbin/sssd -i > [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported > PAM command [249]. > [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not > available, offline auth may not work.
This is unrelated. > > But there isn't anything in any logs that would indicate there's a > communication happening between the host and the server that we can see. > > We have tried sss_cache -E on the host to clear cache, but we still aren't > getting the over rides. If you changed the client override to a non-default one, then you would have to restart the client. Can you enable sssd debugging as per: https://fedorahosted.org/sssd/wiki/Troubleshooting and either send it to the list or if there are confidential information, send it to me directly? (Just note we're attending a conference now, so answers might lag..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project