All, sssctl user-check is very good. In particular, when you want to see if a particular user is conferred access, you look for the:
pam_acct_mgmt: Success or the: pam_acct_mgmt: Permission denied lines. But often, users are members of multiple various groups. It's often difficult to track down which of the particular groups or user entries are actually conferring the access to the user. It would be nice to output on success, which user or group is conferring the login access. I'm not saying it needs to be exhaustive. I.e., no need to parse every group to see which groups. But sssctl at that point in time has determined (based on some rule) that login access is permitted. Just output whatever that matching rule is. If you wanted this additional output only in a verbose mode, that'd be fine. I suppose I could probably turn on debug level on sssd, restart it and grub through all the sssd log files to find which user or group conferred access. But that'd be painful. Usually I construct a list of all AD groups this individual is a member of (often it's 15-20). Then which of these groups are UNIX-enabled in AD. Then of those, which are permitted. Spike
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
