[Freeipa-users] Client Host isn't picking up the idduseroverrides

[Simpson Lachlan]

When my users log into the IPA server, the id user over rides work.

But they don't when we log into a client host?

What are we doing wrong?

The overrides are in the "Default Trust View" so should be applied to all hosts.

We are trying to find *why* and *where* this is failing, but without much success.

>From what I've read, this should be controlled by the sssd service on the host, but if we run sssd -I to watch what happens during a failed login or a login that doesn't successfully get the id user over ride applied, we don't see any errors or log entries that would indicate why.

We see this:

[root at vmts-linux1 ~]# /usr/sbin/sssd -i
[sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
[sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work.

But there isn't anything in any logs that would indicate there's a communication happening between the host and the server that we can see.

We have tried sss_cache -E on the host to clear cache, but we still aren't getting the over rides.

Cheers
L.
This email (including any attachments or links) may contain 
confidential and/or legally privileged information and is 
intended only to be read or used by the addressee.  If you 
are not the intended addressee, any use, distribution, 
disclosure or copying of this email is strictly 
prohibited.  
Confidentiality and legal privilege attached to this email 
(including any attachments) are not waived or lost by 
reason of its mistaken delivery to you.
If you have received this email in error, please delete it 
and notify us immediately by telephone or email.  Peter 
MacCallum Cancer Centre provides no guarantee that this 
transmission is free of virus or that it has not been 
intercepted or altered and will not be liable for any delay 
in its receipt.