I have a fresh IPA server setup with a trust to an Active Directory. Alls IPA services are working fine, IPA users can connect to IPA client hosts without problems.
I now have added an AD user via creating an ID override in the default trust view and added an ssh key for the user. I made the user a member of an IPA group which has access to the IPA client host (verified via IPA user which is a member of this group). I did this by --idoverrideusers= as --external= seems to be gone. The AD user can't connect, not even that the ssh key is not working also the password does not work. Running the HBAC test in the web UI gives an ACCESS DENIED for the AD user and an ACCESS GRANTED for the IPA user. I also can see that a sssctl user-checks gives me a pam_acct_mgmt: Permission denied while for the IPA user it brings up pam_acct_mgmt: Success The command id [email protected] lists the AD groups but I can't see the IPA group there. Any hints will be greatly appreciated, thank you. Best regards, Thomas _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
