[Freeipa-users] Client Host isn't picking up the idduseroverrides
Jakub Hrozek
jhrozek at redhat.com
Thu Feb 4 13:17:05 UTC 2016
On Wed, Feb 03, 2016 at 11:10:50PM +0000, Simpson Lachlan wrote:
> When my users log into the IPA server, the id user over rides work.
>
> But they don't when we log into a client host?
>
> What are we doing wrong?
>
> The overrides are in the "Default Trust View" so should be applied to all hosts.
>
> We are trying to find *why* and *where* this is failing, but without much success.
>
> >From what I've read, this should be controlled by the sssd service on the host, but if we run sssd -I to watch what happens during a failed login or a login that doesn't successfully get the id user over ride applied, we don't see any errors or log entries that would indicate why.
>
> We see this:
>
> [root at vmts-linux1 ~]# /usr/sbin/sssd -i
> [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
> [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work.
This is unrelated.
>
> But there isn't anything in any logs that would indicate there's a communication happening between the host and the server that we can see.
>
> We have tried sss_cache -E on the host to clear cache, but we still aren't getting the over rides.
If you changed the client override to a non-default one, then you would
have to restart the client.
Can you enable sssd debugging as per:
https://fedorahosted.org/sssd/wiki/Troubleshooting
and either send it to the list or if there are confidential information,
send it to me directly? (Just note we're attending a conference now, so
answers might lag..)
More information about the Freeipa-users
mailing list