[Freeipa-users] HBAC and AD users
Jakub Hrozek
jhrozek at redhat.com
Wed Jul 20 07:14:17 UTC 2016
On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote:
> On 19 July 2016 at 16:40, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
> > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote:
> > > I think the thing that frustrates the most is that id user at domain.com is
> > > returning correct data on both but they can't login....and I can't even
> > > show that this is the case because now they can login. Difficult to
> > > reproduce :/
> >
> > Debugging from HBAC should at least tell you why the rules didn't
> > match...
> >
>
>
> Sorry, I should have been clear - the issue is exactly the same. HBAC
> rejected the user because they weren't in the correct groups, but sssd
> hadn't got the correct number of groups from the AD server, and had missed
> the group in question.
Do you have the logs from the server and the client? If yes, feel free
to send them in private mail if they are confidential, I'll try to
find something in them.
Specifying which groups are missing would help as well.
More information about the Freeipa-users
mailing list