On to, 14 syys 2017, Louis Abel via FreeIPA-users wrote:
Jakub, you might be onto something.
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth):
authentication failure; logname= uid=389 euid=389 tty= ruser= rhost=
user=louis.a...@ad.example.com
Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth):
received for user louis.a...@ad.example.com: 7 (Authentication failure)
Would this mean that I need an HBAC policy allowing specific/all users
system-auth against the IPA servers? Or what would you suggest? It does
seem a little overkill if I did that. Unless there's a better way.
If you are authenticating AD users over the compat tree, you need to
create an HBAC rule that allows all users to access system-auth HBAC
service on the IPA master.
None of existing services (ssh, login, etc) use system-auth directly.
Its the only direct user is the Schema Compatibility plugin that handles
cn=compat tree.
This is documented in Windows Integration Guide, as I give you a link in
the other email.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
