[Freeipa-users] Can't add AD user group to IPA group

[Alexander Bokovoy]

On Tue, 10 Mar 2015, Guertin, David S. wrote:
>> You should be able to 'see' them via getent passwd but they should not be
>> allowed to login when HBAC_ALLOW_ALL is disabled.
>
>Ah, OK, thanks, that's what is happening. I can see them with getent
>passwd and id, and I can su to them, but I can't log in as them.
Seeing identity is as designed. 'su' from root is ignoring any of HBAC
rules because your PAM stack for 'su' includes a rule that allows
exactly that (root can impersonate anyone).

>On the other hand, I also can't log in as a user that SHOULD have
>permission (as a member of the appropriate AD group), but I'm still
>troubleshooting that one.
For troubleshooting this you need to enable debug_level=10 in sssd.conf
in domain and pam sections. Restart sssd and try to login.

-- 
/ Alexander Bokovoy